Integrated Design and Process Technology, IDPT-2002 Printed in the United States of America, June, 2002 c 2002 Society

for Desing and Process Science

Modeling Techniques in Design-by-Renement Methodologies

Jerry R. Burch , Roberto Passerone , Alberto L. Sangiovanni-Vincentelli

Cadence Berkeley Laboratories, Berkeley CA 94704 Department of EECS, University of California at Berkeley, Berkeley CA 94720
on prototypes. In the face of growing complexity and tightening of time-to-market, cost and safety constraints, this approach will have to yield to more rigorous methods. We believe that it is most likely that the preferred approaches to the implementation of complex embedded systems will include the following aspects: Design time and cost are likely to dominate the decisionmaking process for system designers. Therefore, design reuse in all its shapes and forms, as well as just-in-time, low-cost design debug techniques will be of paramount importance. Designs must be captured at the highest level of abstraction to be able to exploit all the degrees of freedom that are available. Such a level of abstraction should not make any distinction between hardware and software, since such a distinction is the consequence of a design decision. The implementation of efcient, reliable, and robust approaches to the design, implementation, and programming of concurrent systems is essential. In essence, whether the silicon is implemented as a single, large chip or as a collection of smaller chips interacting across a distance, the problems associated with concurrent processing and concurrent communication must be dealt with in a uniform and scalable manner. In any large-scale embedded systems program, concurrency must be considered as a rst class citizen at all levels of abstraction and in both hardware and software. Concurrency implies communication among components of the design. Communication is too often intertwined with the behavior of the components of the design so that it is very difcult to separate out the two issues. Separating communication and behavior is essential to overcome system design complexity. If in a design component behaviors and communications are intertwined, it is very difcult to re-use components since their behavior is tightly dependent on the communication with other components of the original design. A great deal of excellent work has been done in a project centered around Ptolemy, where the issues related to the composition of models of computation and a general simulation framework have been carefully studied [9], [10]. The Ptolemy environment allows the efcient simulation and analysis of functional behavior of heterogeneous systems. In a companion project, we have advocated the introduction of rigorous methodologies for system-level design for years (e.g., [2], [20]) but we feel that there is still much to do. Recently we have directed our efforts to a new companion endeavor that tries to capture the requirements of present day embedded system design: the Metropolis project. The Metropolis project ([3]) has the objective of provid-

ABSTRACT: Embedded system design methodologies that are based on the effective use of multiple levels of abstraction hold promise for substantial productivity gains. Starting the design process at a high level of abstraction improves control over the design and facilitates verication and synthesis. In particular, if we use a rigorous approach to link the levels of abstraction, we can establish properties of lower levels from analysis at higher levels. This process goes by the name of design by renement. To maximize its benet, design by renement requires a formal semantic foundation that supports a wide range of levels of abstraction (e.g., from differential equations describing physical behaviors to high-level requirement specications). We describe such a semantic foundation, and give examples of how it integrates several well-known models for reactive systems. The semantic foundation allows us to establish the relationships among the different levels of abstractions even when non-homogeneous models are used to describe the design. These relationships are essential to establish properties and to document assumptions about the way the models are used, preventing common errors that are difcult to detect and may otherwise require long redesign cycles. I. I NTRODUCTION Microscopic devices, powered by ambient energy in their environment, will be able to sense numerous elds, position, velocity, and acceleration, and communicate with appropriate and sometimes substantial bandwidth in the near area. Larger, more powerful systems within the infrastructure will be driven by the continued improvements in storage density, memory density, processing capability, and system-area interconnects as single board systems are eclipsed by complete systems on a chip. Data movement and transformation is of central importance in such applications. Future devices will be network-connected, channeling streams of data into the infrastructure, with moderate processing on the y. Others will have narrow, applicationspecic user interfaces. Applications will not be centered within a single device, but stretched over several, forming a path through the infrastructure. In such applications, the ability of the system designer to specify, manage, and verify the functionality and performance of concurrent behaviors is essential. Currently deployed design methodologies for embedded systems are often based on ad hoc techniques that lack formal foundations and hence are likely to provide little if any guarantee of satisfying a set of given constraints and specications without resorting to extensive simulation or tests

ing a design methodology and the software infrastructure to enable the design of embedded systems. The focus of the project is in a complete design system for embedded systems from specications to implementation using methodologies such as platform-based design, communicationbased design and successive renement. The focus is on formal analysis and synthesis techniques for heterogeneous embedded systems. The word heterogeneous highlights the fact that in complex designs that interact with the real world, different parts of a design are likely to be modeled using very different techniques. For this reason, Metropolis is centered around its meta-model of computation, a set of primitives that can be used to construct several different models of computation. The long term objective of this work is to lay the foundations for providing a denotational semantics for the meta-model. Here we begin by studying the semantic domain of several of the models of computation of interest, and by studying how relationships between these models can be established. To do so, we have created a mathematical framework in which to express semantic domains in a form that is close to their natural formulation (i.e. the form that is most convenient for a given domain), and yet structured enough to give us results that apply regardless of the particular domain in question. An important factor in the design of heterogeneous systems is the ability to exibly use different levels of abstraction. Different abstractions are often employed for different parts of a design (by way of different models of computation, for instance). Even each individual piece of the design undergoes changes in the level of abstraction during the design process, as the model is rened towards a representation closer to the nal implementation. Different levels of detail are also used to perform different kinds of analysis: for example, a high level functional verication versus a detailed electromagnetic interference analysis. Thus, we provide a mathematical framework that allows the user to choose the best abstraction for the particular task at hand, and to formally relate that abstraction to different abstractions used for other tasks. Here, we also recognize that abstraction may come in very different forms that include the model of computation, the scope or visibility of internal structures, or the model of the data. In our work, we concentrate on semantic domains for concurrent systems and on the relations and functions over those domains. We also emphasize the relationships that can be constructed between different semantic domains. This work is therefore independent of the specic syntaxes and semantic functions employed. Likewise, we concentrate on a formulation that is convenient for reasoning about the properties of the domain. As a result, we do not emphasize nite representations or executable models, which we defer for future work. The following sections introduce our framework. The exposition will focus on the denition of a natural semantic domain for a specic application, and its formulation in the framework. Later in the paper we consider examples of relationships that can we can build between some of the domains. These relationships are the basic tools to be used

in studying the properties of heterogeneous systems. II. R ELATED W ORK Several formal models have been proposed over the years (see e.g. [12]) to capture one or more aspects of computation as needed in embedded system design. Many models of computation can be encoded in the Tagged Signal Model [16]. However, because encoding is necessary, the level of abstraction is effectively changed, so some of the advantages of the original model of computation may be lost. In this work, in contrast, we describe a framework that is less restrictive than the Tagged Signal Model in terms of what can be used to represent behaviors, and we concentrate on building relationships between the models that t in the framework. The study of systems in which differnt parts are described using different models of computation (heterogeneous systems) is the central theme of the Ptolemy project [9], [10]. Our work shares the basic principles of providing exible abstractions and an environment that supports a structured approach to heterogeneity. The approach, however, is quite different. In Ptolemy each model of computation is described operationally in terms of a common executable interface. For each model, a director determines the activations of the actors (for some models, the actors are always active and run in their own thread). Similarly, communication is dened in terms of a common interface. The director together with an implementation of the communication interface (a receiver) denes the communication scheme and the possible interactions with other models of computation. On the other hand, we base our framework on a denotational representation and deemphasize executability. Instead, we are more concerned with studying the process of abstraction and renement in abstract terms. For example, it is easy in our framework to model the non-deterministic behavior that emerges when an abstract model is embedded into a more detailed model. Any executable framework would require an upfront choice that would make the model deterministic, potentially hiding some aspects of the composition. There is a tradeoff between two goals: making the framework general, and providing structure to simplify constructing models and understanding their properties. While our framework is quite general, we have formalized several assumptions that must be satised by our domains of agents. These include both axioms and constructions that build process models (and mappings between them) from models of individual behaviors (and their mappings). These assumptions allow us to prove many generic theorems that apply to all semantic domains in our framework. In our experience, having these theorems greatly simplies constructing new semantic domains that have the desired properties and relationships. Process Spaces [17], [18] are an extremely general class of concurrency models. However, because of their generality, they do not provide much support for constructing new semantic domains or relationships between domains. For example, by proving generic properties of broad classes of conservative approximations, we remove the need to re-

prove these properties when a new conservative approximation is constructed. We introduce the notion of a conservative approximation to relate one domain of agents to another, more abstract, domain. A conservative approximation has two functions. The rst, called the lower bound, is used to abstract agents that represent the specication of a design. The second, called the upper bound, is used to abstract agents that represent possible implementations of the specication. A conservative approximation is dened so that if the implementation satises the specication in the abstract domain, then the implementation satises the specication in the more detailed domain, as well. Our notion of conservative approximation is closely related to the Galois connection of an abstract interpretations [6], [7]. In particular, the upper bound of a conservative approximation roughly corresponds to the abstraction function of a Galois connection. However, the lower bound of a conservative approximation appears to have no analog in the theory of abstract interpretations. To our knowledge, for abstract interpretations a positive verication result in the abstract domain implies a positive verication result in the concrete domain only if there is no loss of information when mapping the specication from the concrete domain to the abstract domain. Thus, conservative approximations allow non-trivial abstraction of both the implementation and the specication, while abstract interpretations only allow non-trivial abstraction of the implementation. The ability to dene domains of agents for different models of computation is also a central concept of the Rosetta language [1]. In Rosetta, a domain is described declaratively as a set of assertions in some higher order logic. Different domains can be obtained by extending a denition in a way similar to the sub-typing relation of a type system. Domains that are otherwise unrelated can be composed by constructing functions, called interactions, that (sometimes partially) express the consequences of the properties and quantities of one domain onto another. This process is particularly useful for expressing and keeping track of constraints during the renement of the design. In contrast to Rosetta we are not concerned with the denition of a language. In fact, we dene the domain directly as a collection of elements of a set, not as the model of a theory. In this sense, the approach taken by Rosetta seems more general. As already discussed, however, the restrictions that we impose on our models allow us to prove additional results that help create and compare the models. A detailed analysis of the relationships between the two frameworks is one of the topics of our current research. In our framework we dene a domain of agents that is suitable for describing the behavior of systems that have both continuous and discrete components. The term hybrid is often used to denote these systems. Many are the models that have been proposed to represent the behavior of hybrid systems. Most of them share the same view of the behavior as composed of a sequence of steps; each step is either a continuous evolution (a ow) or a discrete change (a jump). Different models vary in the way they represent the sequence. One example is the Masaccio model pro-

posed by Henzinger et al. [13], [14]. In Masaccio the representation is based on components that communicate with other components through variables and locations. During an execution the ow of control transitions from one location to another according to a state diagram that is obtained by composing the components that constitute the system. Each transition in the state diagram models a jump or a ow of the system and constrains the input and output variables through a difference or differential equation. The underlying semantic model is based on sequences. legal jumps and ows that can be taken during the sequence of steps. In our framework we talk about hybrid models in terms of the semantic domain only (which is based on functions of a real variable rather than sequences). This is a choice of emphasis: in Masaccio and other hybrid models the semantic domain is used to describe the behavior of a system which is otherwise represented by a transition diagram. In contrast, in our framework the semantic domain is the only concern and we seek results that are independent of the particular (nite state) representation that is used. Another related concept that is found in models for hybrid systems is that of renement. In our framework we must distinguish between two notions of renement. The rst is a notion of renement within a semantic domain: in our framework this notion is based on pure trace containment, and is analogous to those dened in the majority of hybrid models. The second notion of renement that is present in our framework has to do with changes in the semantic domain. This notion is embodied in the concept of conservative approximation that relates models at one level of abstraction to models at a different level of abstraction. There is no counterpart of this notion in the hybrid models. III. M OTIVATING E XAMPLE As already mentioned, we require our framework to support multiple models of computation during the design process. In this section we provide a motivating example for this requirement, which we will use throughout the paper. The example, shown in Figure 1, is an abstracted version of the PicoRadio project ([19]), developed at the Berkeley Wireless Research Center. A PicoRadio is a node in a network that exchanges information with its neighboring nodes. Depending on the application, a PicoRadio may function as the intercom end of a communication system, or as a controller for a set of sensors and actuators. Whatever its function is, the PicoRadio must include several subsystems, as shown in Figure 1. Since communication with neighboring nodes occurs on a wireless link, a Radio Frequency (RF) subsystem is used to interface the design to the channel. Demodulation and decoding is done at the baseband level, after conversion from the high transmission frequency. The data streams obtained from the baseband is interpreted by a protocol stack, which feeds the application that ultimately interfaces with the user. The design of such systems is complex, not so much in terms of their size, but because of the very stringent constraints on power and because of the intrinsic interactive nature of the nodes. Together, they call for a new design methodology and indeed, developing the new methodology

PrePost

Application

Transport Layer

Network Layer

Manager

Tables and Parameters

MAC Layer
User

CSP

Link Layer

f1

f1+f2 f1f2 f2

f1f2

Physical Layer

Continuous Time
m + f s c1

Process Networks

c1

RF

Fig. 1. Full system

was the primary task during the design of the rst version of the Picoradio ([8]). Because power concerns are best attacked at the algorithmic level, new protocols are being devised whose primary purpose is to maximize the life-time of the system. Consequently, the interaction between the different subsystems becomes critical. Each subsystem must be described in some model of computation in order to properly verify its function through simulation and verication. Ideally, for each subsystem, we would like to use the model that is best suited for the particular task. Hence, the design ow often includes several different tools and models that offer characteristics appropriate to the specic subsystem being considered. In practice, however, the segmentation of the design process that results makes the interaction between different subsystems and the consequences of the design choices difcult to analyze. Typically, the solution to the problem involves simplifying the interfaces between subsystems by assuming certain timing behaviors. However, this not only may not be possible in certain situations, but it also amounts to working at a lower level of abstraction where the benets of an application specic model could be diminished or lost. The interaction between different models of computation can be understood when the description of the models is embedded in the same unifying framework. Trace algebras is one such framework. The remaining sections of the paper discuss the details of the framework by examining appropriate models of computation for each of the subsystems above. IV. F ORMAL F RAMEWORK In this section and in those that follow we introduce our formal framework. Given a model of computation, the task of building the corresponding model in the framework begins with the definition of a set of elements and some functions that operate on them, grouped together into an algebraic structure that we call trace algebra. We call each element a trace. Traces correspond intuitively to individual executions of agents in

the given model of computation. Despite their name, traces are not limited to sequences, but, as we shall see in the examples, they can be any mathematical object that can be dened to satisfy the laws of the algebra. The functions, on the other hand, are analogous to the common operations that can be performed on the executions in the model of computation. The laws of the algebra ensure that the functions behave according to their intuitive sense. From the trace algebra, we construct a second algebra whose elements are the agents of the model of computation, expressed primarily as a set of traces. We call each agent a trace structure, and the corresponding algebra a trace structure algebra. Likewise, we construct a set of functions on the agents that satisfy the laws of the algebra and represent operations such as composition and instantiation. The laws are again dened to ensure the proper interpretation of the operations. For each model of computation we construct a trace algebra and a trace structure algebra. Because different trace algebras have the same structure in terms of the kind and number of operations, one can understand how one model relates to another by constructing mappings that preserve the application of the operation on traces. These mappings are then used to construct approximations (abstractions) on the agents. The purpose of the framework is to make it easy to construct the models and their relationships through the application of general results that derive from the algebraic structure. In this section we present the basic concepts and denitions by way of an example, i.e. the formalization of a semantic domain suitable for the representation of behaviors in a model of computation that supports continuous time. We rst present a formalization that can be considered natural for the domain of application, and then show how the same can be cast in terms of a general set of denitions. A. Traces and Trace Structures In this section we present both the basic concepts of our framework, and the example of the formalization of a semantic domain for a model of computation based on continuous time. The model of computation that we have in mind relies on equations to express the relationships between the quantities that occur in the model. More specically, we are interested in a model of computation where the quantities (variables) are functions over the set of reals. By convention, it is assumed that the set of reals represents time, and we talk about functions over time. Consequently, the equations we are interested in are relations on functions over time, and we denote the independent variable with the letter . Consider the following equation:

Discrete Event

(1)

This is an equation in the unknown . Traditionally, the interpretation of the equation is done in terms of the set of possible solutions. In our case, the set consists of functions that are associated to the variable . A function is a solution of the equation if, when substituted for the un-

known, the resulting relation is true. The notation denotes the set of non-negative reals (we use non-negative reals because we assume there exists an initial point in time). In this particular case there is only one solution

take the alphabet as a parameter. In the case of the continuous time model of computation, we must assign a function over the reals to each of the symbols in the alphabet. For our example, we could use traces of the form

In our framework we want to make the interpretation in terms of the set of solutions more precise. More specically, we are looking for a set of elements that can form the range of a semantic function that denotes the interpretation of the equation. In the rst place, the existence of variables in the above formulation suggests that an important element in the framework should be the ability to name elements that appear in the model. In general, these externally visible features of agents could be actions, signals, state variables, etc. In our formal framework we do not distinguish among the different types, and we refer to them collectively as a set of signals . Each agent is then associated with an alphabet of the signal it uses. An agent is also characterized by a signature, which we denote with the symbol . The structure of the signature depends on the particular model of computation, and it uses the symbols in the alphabet to model the visible interface of the agent. For the equation in the example above, the alphabet consists of the names of the variables that appear in the equation: Note in particular that is not included in the alphabet, because of its special role as an independent variable. Note also that the equation simply describes a condition for a function to be a solution. Therefore, when constructing a model for an agent represented by continuous time equations, we do not specify the direction of the signals (input or output), but simply associate a set of signals to each agent. Hence, the signature for agents in the continuous time model of computation simply consists of the set of symbols : Consider again the equation 1. As mentioned, we interpret the equation (agent) as the set of its possible solutions. In turn, we may interpret each solution as one possible behavior of the agent. We generalize this concept by always maintaining a clear distinction between models of agents (a.k.a. processes) and models of individual executions (a.k.a. behaviors). In different models of computation, individual executions can be modeled by very different kinds of mathematical objects. In our framework, we always call these objects traces. In the specic case of functions over time, an individual execution is a set of functions, one for each unknown in the equation (a singleton in our example, since there is only one dependent variable). An agent is a set of sets of functions. We dene traces for the continuous time model to be a close formalization of the natural interpretation of solution. However, we should make the relationship between the solution and the variable precise. Because the denition of a trace must be independent of the particular agent, it must

where the set is the range of the functions. In our case we . A trace thus contains both the solution, and have the association of each of the functions in the solution to the variables that appear in the equation. For the example above, the (only) solution can be expressed as a trace where

Note that there might be several possible valid denitions of a trace. For example, a trace might associate to each moment in time the values of the functions. The traces are thus functions of the form

The choice of alternative, isomorphic, denitions is often a matter of convenience in dening the operations that we discuss below, or it might reect the desire to highlight certain aspects of the behavior. In this particular example, the equation admits only one solution. More in general, equations may have several solutions. Consider for example the modied equation

In this case the solution varies according to the values of the parameter . We say that a function is a solution to the equation if there exists a value of the parameter such that the equation is satised. The solutions thus form a set. Since traces are individual solutions, sets of traces are the agents. More formally we can write the denotation of the equation above as

This example shows that, in general, an agent admits several different possible behaviors. Hence, a model of an agent, which we call a trace structure in our framework, consists of the signature and of a set of traces. We usually denote the trace structure as the pair . This is analogous to verication methods based on language containment, where individual executions are modeled by strings and agents are modeled by sets of strings. However, our notion of trace is much more general and so is not limited to strings. Systems of equations do not present any additional problem. Consider for example the system

In this case we dene the alphabet as the set and the signature as . However, the denition of a

trace and of a trace structure is unchanged. A trace is again a function from the alphabet to the set of functions on time, and a trace structure is the signature together with a set of traces. What changes is the set of traces for this particular agent, which is now expressed as the set

solutions. In our example, the trace structure has alpha and signature . The trace structure bet is such that is the set of traces that satisfy the equation. Note that in the denition above the trace structure doesnt include an initial condition: this is intentional, as we want the trace structure to model all possible solutions. Initial and boundary conditions, if any, arise implicitly as a result of the interaction (parallel composition) of different trace structures. B. Operations on Trace and Trace Structures To complete our framework we dene certain operations on individual behaviors and on agents. These operations, as we shall see, are dened to support common tasks used in design, like that of scoping, instantiation and composition of agents. The rst operation is called projection, and consists in removing from a trace all information related to certain signals. In our example of functions over time, this corresponds to retaining only the functions of interest (for instance ) in the solution, and dropping the others ( is our case). In our framework we denote the operation of projection by proj . If is the set of signals that we want to retain, we dene the projection as a restriction on the domain of the functions that characterize a trace . Formally we write:

Systems of equations can have two interpretations. On the one hand, they represent an agent whose constraints on the variables are expressed by different equations. On the other hand, they may represent the interaction of different agents, each represented by disjoint subsets of the equations in the system. The two views can be reconciled by interpreting the agent as a whole as the result of the interaction of the individual agents. We discuss the details of how this ts into our framework after introducing an example in continuous time that is more relevant to the PicoRadio system introduced in Section III, Once we have established the notion of a trace and of a trace structure, the complexity of the equation doesnt really matter. In fact, we are not interested in solving the equation, but in providing a structured semantic domain for its interpretation. In particular, interpreting differential equations is no more complex than interpreting the simple linear equations shown above. As an example, consider the following differential equation

proj

This is a homogeneous second order differential equation in the variables and . The solutions of this equation describe an oscillatory behavior. In fact, this equation might be used to model an oscillator that generates a signal (for example a voltage) that we denote by the symbol , whose frequency is controlled by another signal, denoted by the symbol . Solutions to this equation are in the form of pairs of functions and . In general, solutions to differential equations depend on arbitrary parameters, whose value can be xed by providing appropriate initial conditions. For instance we might require that

Given the initial condition, one possible solution to this equation is the following pair of functions:

where the notation introduces a function of the named variable, as usual. Projection on trace structures (agents) can be seen as the natural extension to sets of a corresponding operation of projection on individual traces. When applied to agents, the operation of projection corresponds to that of hiding internal variables in the equation. Note that the constraints imposed by the equation on the variables are retained, but their effect is only visible from outside through the remaining signals. In other words, the scope of the hidden variables is limited to the equation they belong to. The second operation is called renaming, and consists in changing the names of the visible elements of the agent. For functions over time, this corresponds to a substitution of variables. This, however, must be done carefully to avoid changing the underlying meaning of the equation. In our framework, the renaming operation rename takes as argument a renaming function that maps the elements of the signature into a new signature , where and are both subsets of the common set of signals . The function is required to be a bijection in to avoid conicts of names and potentially a change in the behavior of the agents. If is a renaming function, we dene renaming on traces as the corresponding operation on the signals in the signature. Formally:

which represents a constant oscillation with frequency . An agent, the denotation of the differential equation, is a set of individual executions, i.e. the set of all possible

rename

As for projection, renaming of trace structures can be seen as the natural extension to sets of the corresponding operation on individual traces. When applied to a trace structure,

the effect is that of a renaming of the variables in the corresponding differential equation. This process corresponds to that of instantiation of a master agent into its instances. Projection and renaming, seen as operators for scoping and instantiation, are common operations that are meaningful to all models of computation. For trace structures, they are always dened as the natural extension to sets of the corresponding operations on traces. The combination of the set of traces for all alphabets , and of the operations proj and rename has the structure of an algebra 1 . We call this algebra a trace algebra, and we usually denote it with the symbol . For all trace algebras (and therefore, for all models of computation) we require that the operations on traces satisfy certain properties. There are two reasons for doing that. First, the properties ensure that the operations behave as expected given their intuitive meaning. For example, we expect that a projection followed by another projection be the same as the second projection alone, or that a projection that retains all symbols in the trace results in the very same trace. Similarly for renaming and for certain combinations of the operations. Second, we can use these properties as assumptions to prove results that are independent of the particular model of computation in question. These results provide powerful tools that the designer of the model can use to prove general facts about the model and about its relationships with other models. Similarly to trace algebra, the combination of all trace structures and the operations of projection and renaming on trace structures form an algebra, that we call trace structure algebra. However, before we formally dene a trace structure algebra, we introduce an additional operation on trace structures. The third operation that we introduce is that of parallel composition of agents. A system of equations is an example of a parallel composition in our model of computation based on continuous time. Here, each equation is interpreted as a single agent. The system is also interpreted as an agent, the one that is obtained by composing the individual agents. An example of a system of equations is the following:

We can easily formalize this notion in the framework of trace algebra. Let and be two trace structures, and denote with their parallel composition. Clearly, to model this composition, the signature of must include the signals of both and . Hence:

The set of traces of must be such that each trace belongs to both and . However the traces must rst be converted from one alphabet to another. This can be achieved by rst extending the set of traces and to and , respectively, which are sets of traces over the alphabet such that

proj proj

The traces in clearly satisfy the system of equations for (the additional functions are simply ignored), but do not necessarily satisfy that for . Likewise, the traces in satisfy the equation for but do not necessarily satisfy that for . The parallel composition is the set of those traces that satisfy both, Given this denition, it is straightforward to show that parallel composition corresponds to the usual operation of taking the intersection of the solutions of two different equations. Consider again the system of differential equations in Equation 2. This system can be represented as the parallel composition of 5 trace structures 2 , as shown in Figure 2, where the rounds represent trace structures, and the connections represent shared signals (functions over time). The signature of the parallel composition is

Each trace structure imposes its constraints to the overall solution. For example, if is a trace with alphabet , then the trace structure for requires that proj be the function identically equal to .

(2) (3) (4) (5) (6)

I2

I2

m + f s I1

I1

In the natural semantic domain, the agent that corresponds to the system of equations is made of collections of functions that are solutions to all equations. Intuitively, this corresponds to having the agents associated to each equation run concurrently by sharing the common signals.
An algebra is simply a set together with some functions over that set.

Fig. 2. Parallel composition of agents

The denition of parallel composition of agents shown above for the continuous time model of computation can be
Parallel composition turns out to be associative, therefore we can talk about the operation of parallel composition of more than just 2 trace structures.

generalized in a straightforward way in our framework. Parallel composition corresponds to the concurrent execution of two agents. As discussed above, the parallel composition is a set of traces in the union of the alphabets of and that is compatible with the restrictions imposed by the agents being composed. We can formalize the notion of compatibility by requiring that if is a trace of with alphabet , then its projection proj on the alphabet of is in , and the projection proj on the alphabet of is in . The set of traces in must be maximal with respect to that property. It can be shown that the previous denition of parallel composition for the continuous time model is equivalent to this formulation. The combination of the set of trace structures and the operations of projection, renaming and parallel composition of trace structures forms an algebra that we call trace structure algebra. Similarly to the algebra for traces, the operations in a trace structure algebra must satisfy certain properties. For example we require that parallel composition be commutative and associative, and that the extensions to sets of projection and renaming also behave consistently. Note that because these operations are predened, given a trace algebra, and the set of trace structures to be used as the universe of agent models, a trace structure algebra is constructed in a xed way. A fundamental result of this work is that the properties of the trace algebra are sufcient to ensure that the corresponding trace structure algebra satises its required properties. To summarize, the rst step in dening a model of computation is to construct a trace algebra. The trace algebra contains the universe of traces for the model of computation. The algebra also includes two operations on traces: projection and renaming. These operations intuitively correspond to encapsulation and instantiation, respectively. The second step is to construct a trace structure algebra. Here each element of the algebra is a trace structure, which consists primarily of a set of traces from the trace algebra constructed in the rst step. A trace structure algebra also includes three operations on trace structures: parallel composition, projection and renaming. Projection and renaming are simply the natural extension to sets of the corresponding operations on traces, while parallel composition is derived from the denition of projection on traces. Thus, constructing a trace algebra is the creative part of dening a model of computation. Constructing the corresponding trace structure algebra is much easier. The example of this section shows how to formalize within our framework the natural semantic domain of a model of computation based on continuous time and differential equations. It is worth noting how our representation of the agents is completely denotational, in that no rule is given to derive the output from the input. In addition, while our formalization is close to the natural semantic domain of traditional differential equations, the algebraic infrastructure introduces additional concepts such as hierarchy, instantiation and scoping in a natural way. For instance, the trace structures that correspond to the oscillators could be viewed as instantiations of a primitive component obtained by a renaming operation. Also, the frequency modulator

that results from the parallel composition outlined above could be used as a primitive component: to that end, it is enough to hide the internal signals through a projection operation. These characteristics make our approach suitable as a foundation for the formal semantics of popular design tools, such as Simulink. C. Summary and Notation In the previous two sections we have introduced the concept of a trace algebra and a trace structure algebra. Formally a trace algebra is a triple:

proj rename

where we use the symbol to denote the set of traces for all possible alphabets. We also use the symbol as the function that to each alphabet associates the set of possible traces with that alphabet. We say that to denote that is a trace in the alphabet . A trace structure is a pair

where is a signature and a set of traces in the alphabet of the trace structure ( ). A trace structure algebra is a 4-tuple

proj rename

where is a set of trace structures. The operations of projection and renaming are obtained from the corresponding operation on traces as extensions to sets. The symbol de , then the set of notes parallel composition. If traces of is obtained from the set of traces and of and as

proj

proj

The signature of the parallel composition must also be obtained from that of the agents being composed. Each model of computation must dene this operation, as well. In the sections that follows we will present four more models of computation at different levels of abstraction and provide their formalization in the framework of trace algebra. D. Concatenation and Sequential Composition In the case of differential equations, a system corresponds to the parallel composition of agents. In other models of computation, however, the emphasis may be on a sequential execution of the agents. This could be seen as a parallel composition where control ows from one agent to another, thus making only one agent active at a time. Nevertheless, this situation is so common that it warrants the introduction of some special operations and notation. For these models we introduce a third operation on traces called concatenation, which corresponds to the sequential composition of behaviors. Similarly to the other operations,

concatenation must also satisfy certain properties that ensure that its behavior is consistent with its intuitive interpretation. Other than that, the denition of concatenation depends upon the particular model of computation. Concatenation is also used to dene the notion of a prex of a trace. We say that a trace is a prex of a trace if there exists a trace such that is equal to concatenated with . With concatenation, we distinguish between a complete behavior and a partial behavior. A complete behavior has no endpoint. Since a complete behavior goes on forever, it does not make sense to talk about something happening after a complete behavior. A partial behavior has an endpoint; it can be a prex of a complete behavior or of another partial behavior. Every complete behavior has partial behaviors that are prexes of it; every partial behavior is a prex of some complete behavior. The distinction between a complete behavior and a partial behavior has only to do with the length of the behavior (that is, whether or not it has an endpoint), not with what is happening during the behavior; whether an agent does anything, or what it does, is irrelevant. Complete traces and partial traces are used to model complete and partial behaviors, respectively. A given object can be both a complete trace and a partial trace; what is being represented in a given case is determined from context. For example, a nite string can represent a complete behavior with a nite number of actions, or it can represent a partial behavior. Like in the other cases, concatenation induces a corresponding operation on trace structures that we call sequential composition. We can illustrate these concepts by extending the example of the previous section to a continuous time model of computation that is suitable to studying hybrid systems, and that includes the operation of concatenation. A typical semantics for hybrid systems includes continuous ows that represent the continuos dynamics of the system, and discrete jumps that represent instantaneous changes of the operating conditions. In our model we represent both ows and jumps with single piece-wise continuous functions over real-valued time. The ows are continuous segments, while the jumps are discontinuities between continuous segments. In this paper we assume that the variables of the system take only real or integer values and we defer the treatment of a complete type system for future work. The sets of real-valued and integer valued variables for a given trace are called and , respectively. Traces may also contain actions, which are discrete events that can occur at any time. Actions do not carry data values. For a given trace, the set of input actions is and the set of output actions is . The signature of each agent is a 4-tuple of the above sets of signals:

The set of partial traces for a signature is . Each element of is as a triple . The nonnegative real number is the duration (in time) of the partial trace. The function has domain . For , is a function in , where is the set of real numbers and the closed interval is the set of real numbers between and , inclusive. This function must be piece-wise continuous and right-hand limits must exist at all points. Analogously, for , is a piece-wise constant function in , where is the set of integers. , For , is a function in where iff action occurs at time in the trace. The set of complete traces for a signature is . is as a pair . The function Each element of is dened as for partial traces, except that each occurrence of in the denition is replaced by , the set of nonnegative real numbers. To complete the denition of this trace algebra, we must dene the operations of projection, renaming and concatenation on traces. The projection operation proj is . The trace that results is the same dened iff as except that the domain of is restricted to . The rerename is dened iff is a naming operation one-to-one function from to some . If is a partial trace, then where results from using to rename the elements of and . The denition of the concatenation operator , where is a partial trace and is either a partial or a complete trace, is more complicated. If is a partial trace, then is dened iff and for all ,

(note that , , etc., are components of and in the obvious way). When dened, is such that and for all

for for

Note that concatenation is dened only when the end points of the two traces match. The concatenation of a partial trace with a complete trace yields a complete trace with a similar denition. If , then is a prex of . Trace structures in this model have again signature . Their denition must be extended to contain a set of complete traces and a set of partial traces . We also denote with the set of all traces (consistently with the previous formulation). The sequential composition , and in that case: is then dened when

The sets of signals may be empty, but we assume they are disjoint. The alphabet of is

where concatenation is naturally extended to sets of traces. As for parallel composition, the denition of sequential composition is constructed from equivalent concepts in the trace algebra. Therefore, the trace structure algebra can still be constructed automatically.

10

V. M ODELS OF C OMPUTATION AND T RACE A LGEBRAS The sections that follow introduce the formalization of the semantic domain for more models of computation. In all cases we follow the same pattern by rst presenting the natural formalization, and then the formalization in terms of trace algebras. For each model of computation we also sketch an example of its typical applications. Each example is one of the subsystems of the PicoRadio architecture shown before. Later sections of this paper show how we can derive relationships between these models within the framework. A. CSP Communicating Sequential Processes were introduced by Hoare [15]. It consists of a collection of agents that interact through the exchange of actions. Actions are shared and must be synchronized: when an agent wishes to perform an action with another agent, it must wait until the other agent is ready to perform the same action. CSP is particularly well suited to handle cases where a tight synchronization is required or to schedule access to a shared resource. In our example we can use CSP to model a manager subsystem that regulates access to a set of parameters and tables that can be set and read by the user and by the protocol stack. To do this, the manager initially waits to synchronize with either the protocol stack or the user input; once synchronized with one of the two parties, it reserves the shared resource and handles the communication by performing a set of actions (e.g. read, write, update). At the end of the transaction, the manager goes back to its initial state and waits to synchronize again. Figure 3 shows a diagram of this subsystem.
Protocol Stack

where len when the set is innite. The -th element of corresponds to the -th element of that belongs to . Hence, if , then where

Note that any and combination is unique. For renaming, assume without loss of generality that is of the form

then

rename

Models of agents are obtained in the standard way, as a collection of sequences. The signature of an agent includes a set of input actions and a set of output actions . The parallel composition is dened when and are disjoint, and in that case

Given the denition of projection, parallel composition clearly requires that trace structures (agents) synchronize on the shared actions. This model is based solely on actions that bear no value. It is straightforward to extend the model to include a value for each action. We dene:

where is the set of possible values. Projection and renaming are extended by having them act only on the rst component of the pair. Formally, if and proj then the length of (written len ) is

Manager

Tables and Parameters

User
Fig. 3. Table manager and UI interface

Constructing a trace algebra and a trace structure algebra for this model is particularly simple because the communication model ts very easily in our framework. A single execution of an agent (a trace) is simply a sequence of actions from the alphabet of possible actions. Formally, we dene where the notation includes both the nite and the innite sequences over . Projection and renaming are dened , then proj is as expected: if and the sequence formed from by removing every symbol not in . More formally, if proj , then the length of (written len ) is

and for all integer such that

then

len

len , where is the unique and

len

Likewise for renaming. Without loss of generality, assume

rename

len

len

With this denition we can construct a trace structure that represents the table manager depicted in Figure 3. The signature includes inputs and outputs to and from both the protocol stack and the user interface, with actions that set and read the appropriate parameters. For example, the parameters could be a set of virtual connections, specied as pair of addresses (vci and vpi) and the packet length. Two

11

typical traces for the manager deal with handling requests from the protocol and from the user, as in

ps req vci vpi ps release user req length vpi

where ps refers to the protocol stack, and user to the user interface. Note that while the manager can nondeterministically choose to serve the protocol stack or the user, it must continue to serve the party that was chosen until the shared resource is released. Compared to the traditional CSP model, ours differ in some respects. For example, in our model it is possible for several agents to synchronize on the same action, thus making it possible for one agent to broadcast an event. In a more traditional model, only one of the listeners is able to react to the event. This is a consequence of our denition of parallel composition. Another difference is that in our model (and in all other models constructed using trace algebras), the operation of parallel composition and renaming are clearly differentiated. In other words, parallel composition in our model does not create the connections, but is limited to constructing an agent whose projections are compatible with the ones being composed. Renaming must be invoked separately (and before the composition) to create the appropriate instances of the agents to be composed. B. Process Networks Process networks are collections of agents that operate on innite streams of data. Streams are traditionally implemented as FIFO queues that connect processes that can produce (write) and consume (read) tokens. Process networks are particularly well suited to modeling digital signal processing applications, given the good match between the typical data model of signal processing and the communication model of process networks. As an example we might consider a demodulator that uses a local reference to convert an incoming signal from high to base band. The decoder receives a stream of tokens that corresponds to, for instance, the output of the local oscillator described above in Section IV-A. At the same time it receives a stream of data tokens to be demodulated. The demodulator combines the two streams and then applies a lter to retain only the component of interest. A diagram of this subsystem is shown in Figure 4.

output stream (together, of course, with their value). The natural domain for this kind of model is then clearly that of a function on streams, which can in turn be formalized as sequences. In the case of our demodulator, if we denote with and the reference and the modulated streams, and the demodulated stream, we can represent the dewith coder in the natural domain as a function from the inputs to the output: Parallel composition of agents is dened by composing for each stream the function whose range is with the function whose domain is . This denition becomes circular in the presence of loops in the structure of the parallel composition. In this case, the composition is dened by breaking the loop at some point, and then looking for the xed points of the function that results. If we do not restrict the range of the possible functions , the parallel composition may have several xed points (or even no xed points at all), and hence exhibit non-deterministic behavior. Because we ultimately want to model physical processes that are deterministic, we must impose some constraints on . We say that a stream is a prex of a stream if is equal to some initial segment of . This relation can be extended to sets of streams by requiring that all streams in the rst set are a prex of the corresponding stream in the second set. This relation is easily proved to be a partial order on the streams. To ensure that a composition of stream functions is determinate, the function of each of the components must be continuous with respect to the prex ordering on the streams. If that is case, then we are assured that there exists a unique least xed point, and the parallel composition is dened in terms of that. In addition, continuity implies monotonicity, which in turn ensures that the response of the system to a specic input can be computed incrementally from progressively longer prexes. In the following we will show two ways of describing the process networks model in our framework. The rst method is closer to the semantic domain based on functions on streams, but falls short in the denition of parallel composition. The second method xes this problem, at the expense of modeling the traces at a more detailed level of abstraction. In our initial attempt we follow the natural semantic rather closely. First we dene the signature of a trace structure. Process networks clearly distinguish between inputs and outputs, hence we dene

f1

f1+ f2 f1 f2 f2

f1 f2

where and are disjoint sets of input and output signals, respectively. In the example above, we have

R
Fig. 4. A signal demodulator

The important property of this model is that the exact time at which tokens arrive at the input is irrelevant, and that only their order within the same stream determines the

Given a stream function, a trace is a single application from a set of input streams to a set of output streams. If we dene the alphabet of a trace to be the set , and

12

formalize streams as the nite and innite sequences over a value domain , denoted by , then the set of all possible traces is A trace structure is simply the signature together with a set of traces, i.e. where . If we separate the contributions of the inputs and the outputs, the set of traces can be seen as (is isomorphic to) a subset of

the xed-points in the composition. The problem with our model is that whether a trace is included in the composition or not depends exclusively on whether its projections are part of the individual components. In order to include only the least xed-point, we would also need to check whether other traces (more specically, prexes) are also included in the composition.

Id
A B

that is, as a function on streams. In order to comply with the process network model, we also insist that the functions so identied have the necessary continuity and monotonicity properties with respect to the prex ordering dened on the sequences. In other words, not all set of traces may form a trace structure. We dene a functional trace structure as one that associates at most one output stream to each input stream. More formally, the condition is simply

Id
Fig. 5. Parallel composition with feedback

proj

proj

To dene monotonicity we rst need a partial order on traces. We say that a trace is a prex of a trace , written , if is a prex of for be a trace structure. Then is all . Let monotonic if for all ,

proj proj proj proj

Note that, in particular, this also implies

Our solution to this problem avoids changing the denition of parallel composition (which is common to all trace structure algebras), but requires us to develop a new semantic domain at a more detailed level of abstraction. The additional information is enough the determine the result of the parallel composition exactly. In the new formalization, each trace is a totally ordered sequence of events. Formally we have:

Note that this is exactly the denition that we have for the semantic domain for communicating sequential processes. The denition of projection and renaming also parallels the denitions given in Section V-A, and will not be repeated here. The signature of the trace structures is again a pair of disjoint sets as before. Despite the similarities with CSP, this formulation results in a different model of computation because the class of trace structures that we construct must satisfy some additional conditions, as was also the case in our initial formalization of process networks. In the new formulation, the traces in the trace algebra carry order information for all events. This means that we can tell whether an input (or an output) event occurred before or after another input or output event. Because the semantics of process networks is independent of this ordering, a trace structure must contain traces that represent all orderings of inputs and outputs that are compatible with a particular stream function. The word compatible here has two meanings. First we must only include those orderings that result in monotonic functions. Second, inputs and outputs can not occur arbitrarily ordered in a trace: output tokens should never precede the input tokens that caused them. The rest of this section makes these two requirements more precise. It is easy to construct a homomorphism to the previous trace algebra that loses the ordering information. Given a trace in the alphabet , we isolate the sequence relative to

proj proj
Finally we dene the process network trace structure algebra as the algebra that contains all and only the functional and monotonic trace structures. The operations of projection and renaming on traces are easily dened. If , and is a renaming function, then

proj rename

Parallel composition on trace structures is dened as usual in terms of the projection operation. Note that the trace structure obtained from a composition contains all the traces that are compatible with the agents being composed; in particular, it will contain all the xed-points in a composition that involves a feedback loop. Figure 5 illustrates the point. Here two instances of the trace structure are composed so that the input of one corresponds to the output of the other. The trace structures are also dened to be the identity function on streams, i.e. they contain all pairs of identical input and output streams. It is easy to show that also the composition contains all pairs of identical streams. This is a problem, as it doesnt faithfully represent the semantics of the original formulation of process networks, that in this case includes only empty streams, the least of

13

a signal using a projection operation, and then construct the appropriate function. More formally:

proj

where the subscript denotes the second component of a pair in . This function is a homomorphism in that it commutes with the application of the other operations on traces, projection and renaming. The functionality and monotonicity conditions are best expressed in the domain of stream functions, as we dont want the particular order of a trace to affect the prex relation. A functional trace structure can be dened as follows. For all , the following condition must be satised:

Since is the fastest subset of , we can now construct a new set that includes all possible delays of the output. We construct this set by induction. Given a set of that adds all traces where traces, we dene a function each output that precedes an input is delayed by one position. Formally:

(7)

proj Similarly for monotonicity. If , then is monotonic if for all , proj proj proj proj
In order to include all orderings in the trace structures, we might be tempted to state that if , then any other trace such that should be in . Doing this would remove all information regarding the ordering of inputs and outputs. As a result, the composition would again suffer from the same problem (inclusion of all of the xedpoints) that we had with the previous model. Instead, we must strengthen this condition. We do this in two steps. Given a trace structure , we rst look for a subset of only those traces that can be characterized as quiescent, in the sense that all the outputs relative to the inputs have been produced. In fact, we are looking for the set with the added property that the outputs occur in the sequence as soon as possible. This is similar to the fundamental model assumption in asynchronous design. In the formalization that follows, we will assume that tokens have no value to simplify the notation. Under this assumption, can be formalized as follows:

proj

Intuitively we would like to repeatedly apply this function starting from until we reach a xed-point. This function is monotonic relative to set containment (given , will add at least the traces that adds, plus possibly some more). In addition, creates progressively larger sets, i.e.

When this is the case, we say that is inationary at . These two properties are enough to guarantee the existence of a xed-point. In fact, they guarantee the existence of a least xed-point greater than or equal to , the minimal set that contains and all the traces with delayed outputs 3 . Lets denote with fp the xed-point obtained by starting the recursion with the associated to . Then we dene the trace structure algebra for process networks as the one that contains only those trace structures such that

fp

The system shown in Figure 5 now results in a correct composition. In fact, the bottom trace structure will require that the input at appear before any output on in all its traces. Likewise, the top trace structure will require its input, which corresponds to , to occur before the output . This contradiction will rule out all traces except the empty one, as dictated by the least xed-point semantics. C. Discrete Event A discrete event system consists of agents that interact by exchanging events on a set of signals. Each event is labeled with a time stamp that denotes the time at which the event occurred. The notion of time is global to the entire system, so that if any two events have the same time stamp then they are considered to occur at the same time. The set of time stamps is often taken to be the set of positive integers or real numbers, ordered by the usual order. The order is then extended to the events so that events with smaller time stamps precede events with higher time stamps. The model is called discrete because it is required that for each signal the set of time stamps is not dense in the reals. Examples of discrete event systems abound, as both Verilog and VHDL use this model as their underlying simulation semantics. For our example, we might consider the subsystem that implements the protocol stack that handles the data stream after it has been demodulated. The stack includes functions that modify and depend on the tables
Technically it is the greatest lower bound of the set of xed-points of that are greater than or equal to

where the notation denotes the sequence made of only the symbol . The intuition behind this denition is as follows. Assume that a trace can be written as the concatenation with . Then, since is functional, proj , for any trace such that proj we have proj proj . So, in particular, none of the output tokens that are contained in the sufx ever occur before the input token in any other trace in with the same inputs as . If starts with an output token , this condition tells us that does not appear any sooner in any other trace, and therefore that outputs as soon as possible. The universal quantication on , and extends the property to the entire trace .

14

and parameters managed by the subsystem described in the section on CSP (V-A). In addition, the protocol stack interacts with the physical layer at the lower levels, and then unpacks and delivers the raw data to the application. The non-recurring nature of these operations, their unpredictable timing and the dependency of the protocol behavior on their timing make a discrete event model more suitable than, say, a data-ow model. A typical protocol stack of four layers is shown in Figure 6.

To the application Transport Layer Network Layer MAC Layer Link Layer To physical layers
Fig. 6. Protocol Stack

divergent, i.e. for all , there is an event in with time stamp greater than . Discreteness can be enforced by requiring that for all non-negative reals , there is . only a nite number of events in such that Projection and renaming are dened similarly to the functions dened for CSP in Section V-A. The signature of a trace structure distinguishes between the set of inputs and the set of output , that together form the alphabet . Trace structures are then built as a signature with a set of traces in a way similar to the models that we have already presented. Constraints can be imposed on the set of traces of a trace structure, analogous to the monotonicity and continuity requirements for process networks. As an example from our protocol stack, one of the layers may include, among others, two traces, one for a successful operation, and the other for the occurrence of a timeout. The discrete event model is required in this case, as the process network model is unable to handle timeouts. In some discrete event models, a new event occurs on a signal if and only if the corresponding value for that signal has changed since the previous occurrence. Traces that have this property are called stutter free. If this is the case, it is convenient in our framework to dene the set of traces as the subset of stutter free traces. We can do this by dening a function that, given a trace, produces its unique stutter free equivalent by removing the unnecessary events. We call this process stutter removal. Note that discrete traces result in discrete traces after stutter removal. D. Pre-Post In this last model of computation that we present we are concerned with modeling non-interactive constructs, such as the ones that occur in a programming language. In this case we are interested only in an agents possible nal states given an initial state. This semantic domain could therefore be considered as a denotational representation of an axiomatic semantics. In our example, this model may be appropriate for the higher levels of the protocol stack, and in particular for the application layer where most of the functionality can be described as non interactive procedure calls. Note how this model of computation differs from those that were introduced in the previous sections, all of which included some notion of evolution of the system. Nontheless, traces dont necessarily require that notion, and we can easily t this model in our framework. Traditionally, the semantics for this kind of models is constructed by rst dening a state as a set of variables , and then indicating the rules according to which each construct in the programming language modies this state. A natural semantic domain for describing the constructs is therefore a set of pairs of initial and nal state, one for each possible initial state. The formulation in the framework of trace algebra is almost identical to the natural domain. The signature of the agents is simply the set of variables the agent depends on and writes to. Each trace is made of pairs of states. A state is a function with domain that to each variable associates a value from a set of values . We also de-

In the natural semantic domain, each behavior of an agent can be characterized as a sequence of events, each associated to an increasing time stamp. Note that events that occur in unrelated parts of the system are still ordered by their time stamps. Different events may occur with the same time stamp. In most cases, if two discrete event models differ at all, they differ in the way events with the same time stamp are handled. For the purpose of simulating such systems, some models dene a notion of a delta cycle that orders the events with identical time stamps. Others dont dene any specic way to handle this occurrence, leading to nondeterminism. It is natural to construct a semantic domain in our framework based on the interpretation of a behavior as a sequence of events with time stamps. If is the set of signals, the set of values and the set of non-negative reals, we dene the traces as follows:

Two conditions must be imposed on the time stamps of a trace. First, the time stamps in the sequence must be nondecreasing, i.e. if is a trace and and are two natural numbers such that len , then

where the subscript denotes the time stamp of the event. Second, the time stamps of an innite sequence must be

15

ne a degenerate, undened state a trace is simply a pair of states

. Given an alphabet

where denote the initial and the nal state, respectively. Here, the initial state must be non-degenerate. A degenerate nal state denotes constructs whose nal state is either undened, or that fail to terminate. If is a state, we can dene projection and renaming on states as follows:

proj rename

Then, if is a trace, we dene projection and renaming by the obvious extension:

proj rename

proj proj rename rename

The semantics of a procedure denition is given by a where is trace structure with an alphabet the -th argument of the procedure. The semantics of a procedure call proc(a, b) is the result of renaming and on the trace structure for the denition of proc. The parameter passing semantics that results is value-result (i.e. no aliasing or references) with the restriction that no parameter can be used for both a value and result. More realistic (and more complicated) parameter passing semantics can also be modeled. To dene the semantics of if-then-else we introduce a function init that is true if and only if the predicate is true in the initial state of trace . The formal definition depends on the particular trace algebra being used. For pre-post traces, init is false for all if has as its initial state. For the semantics of if-then-else, let be the conditional expression and let and be the sets of possible traces of the then and else clauses, respectively. The set of possible traces of the if-then-else is

A trace structure is easily constructed as a set of traces. As usual, the notion of parallel composition arises automatically given the denition of projection. However, in this particular model, parallel composition is not the main operation of interest, since we are modeling the behavior on non-interacting constructs. In fact, handling shared variables of concurrent programs is problematic with these definitions, and we dene parallel composition to be undened when the signatures of two agents overlap. Instead, we concentrate on the concatenation operation which is relevant to dene the concept of sequential composition. As mentioned in Section IV-D, we must distinguish between complete and partial traces. The above denition of a trace can be interpreted either way, depending on whether we consider the behavior to be completed or not. A nonterminating trace could be considered as a partial trace, assuming that non-termination occurs within a bounded amount of time. This is quite unusual: it may occur, for example, if the duration of an innite loop decreases exponentially from one iteration to the other. If and are traces, the concatenation operation is dened if and only if is a partial trace, the signature and are the same, and the nal state of is identical to the initial state of . As ex and pected, when dened, has alphabet : contains the initial state of and the nal state of

init

init

that is, we choose the traces from one or the other clause according to the truth value of the condition. Notice that this denition can be used for any trace algebra where init has been dened, and that it ignores any effects of the evaluation of not being atomic. The semantics of other, more complicated, constructs like loops could also be dened using similar techniques. We refer the interested reader to [5]. VI. C ONSERVATIVE A PPROXIMATIONS AND R ELATIONSHIPS A MONG M ODELS OF C OMPUTATION In the previous section we have presented the formalization of several models of computation at different levels of abstraction, and how they can all be described in the framework of trace algebra. For each model we have suggested a particular application in the context of a system similar to the PicoRadio project. The whole system is depicted in Figure 1. In order to understand the behavior and the properties of the whole system, we need to understand the interplay between the different subsystems. We can accomplish this by relating the semantic domains that we have developed in the previous section and study how the different notions of computation t together. In what follows we develop a concept that we call conservative approximation. Intuitively a conservative approximation is a mapping of agents from one semantic domain to another, more abstract, domain. We actually employ two such mappings. The rst mapping represents an upper bound of the agent: the abstract agent represents all of the possible behaviors of the agent in the more detailed domain, plus possibly some more. This mapping is usually denoted by . The second is a lower bound: the abstract agent represents only possible behaviors of the more detailed one, but possibly not all. We denote it by . When used in combination, these two mappings allow us to relate results in the abstract domain to results in the more

Trace structures in this model have signature and they provide the semantics of statements in a programming language. The signature indicates the variables accessible in the scope where the statement appears. For example, the traces in the trace structure for an assignment to variable are of the form , where is an arbitrary initial state, and is identical to except that the value of is equal to the value of the right-hand side of the assignment statement evaluated in state (we assume the evaluation is side-effect free).

16

detailed domain. In particular, a conservative approximation is dened to preserve results related to trace containment, such that if and are trace structures, then:

PN abstract h 1(P) h(P) g(P) PN detailed

PN natural

We refer to our previous work for more details ([4]). Where the lower and the upper bound coincide we can talk about an inverse of the approximation, by assigning to the agent in the abstract domain the unique inverse image of the two mappings. Where this function is dened, it can be interpreted as a renement or concretization of the abstract semantic domain into the detailed one. One direction in our research currently focuses on characterizing the properties of this inverse function. A. DE to PN In this section we will explore the relationships between the discrete event model presented in Section V-C and the process network model presented in Section V-B. We will use the simple version of DE that consists of a sequence of events. During the presentation we will refer to Figure 7 and Figure 8. Figure 7 depicts the mappings that relate traces in the different domains. Figure 8 shows the corresponding mappings when applied to the domains of trace structures (sets of traces).
isomorphism PN abstract PN natural

isomorphism

g(P) DE

Fig. 8. Relations between trace structure algebras

xed-point in the composition. By doing this we abandon the isomorphism of the traces with the domain of streams. To be classied as process network agents, trace structures in this formalization must satisfy constraints that ensure that a function on stream is in fact being constructed. The discussion then suggests that there is an isomorphism (which preserves the operation of composition) between the detailed model of trace structures and the agents in the natural semantic domain. Recall that traces in the abstract process network algebra belong to the set:

Traces in the more detailed algebra belong to the other set:

h g PN detailed

As shown in Section V-B, traces in this more detailed model can be mapped into traces in the more abstract model by virtue of a homomorphism that removes the order relationships across signals. When naturally extended to trace structures (i.e. to set of traces), maps agents in the detailed domain into agents in the abstract domain. The homomorphism on individual traces is obviously not one-toone. However, when considered as a mapping of trace structures from the (restricted set of agents in the) detailed trace structure algebra into the more abstract algebra, the function is a one-to-one mapping. In fact, if two trace structures and map into the same trace structure in the abstract algebra, then they must have the same fundamental mode representation . The inductive construction of Equation 7 then shows that . Because is one-toone when applied to agents, there is an inverse function from the abstract trace structure algebra into the detailed algebra. The relationships between the discrete event and the process network model of computation can be described as a mapping to one of the two formulations. Recall that traces in the discrete event model are of the form:

g DE

Fig. 7. Relations between trace algebras

We have already pointed out that the natural domain is that of functions on streams. Our initial abstract formalization is a model of traces that is isomorphic to the set of streams. However, the corresponding formalization in terms of trace structures led to a problem with the composition operator: in the original model, composition is dened so that it includes only the least xed-point of the functions that satisfy a certain equation; in our model, instead, composition includes all the xed-points. Thus we are unable to nd an isomorphism between the trace structures of our formalization and the agents in the natural domain, that is a one-to-one mapping that preserves composition. We have then developed a more detailed domain, in which sequences are used to emphasize the order relationships between inputs and outputs that allows us to build the

17

A straightforward mapping can be constructed from the discrete event traces to the detailed process network traces. The mapping is a function that simply removes the time stamp from the sequence. In other words, if

is a discrete event trace, then

fact, a trace with a similar sequence of events, but different delay, would be in but not in ; because discards the delays, and, by denition of above, is removed from the mapping. In other words, the process network model does not distinguish between agents with different delays and we are indeed computing an approximation.

a b

This mapping is a homomorphism on traces, in that it commutes with the operations of projection and renaming. In other words, if is a discrete event trace, then

proj rename

proj rename

Fig. 9. Inverter agent with delay

The natural extension to sets of traces of the homomorphism is a function that maps discrete event agents into process network agents. This function is an upper bound of a conservative approximation:

For the lower bound we must map to a restricted set of traces. Namely, the inverse image of should map to
traces that are only in . This can be accomplished using the homomorphism as follows:

where universe of traces. This lower bound can be made tighter by considering only the traces that occur in the agents that form the trace structure algebra. It can be shown that the two mappings so dened form a conservative approximation. This formulation can be generalized. In fact, nothing in the derivation of and depends on the particular models of computation considered. Hence, whenever there is a homomorphism between the sets of traces of two different models of computation, we can construct a conservative approximation using the same formulation. We refer the reader to [4] for more details on this technique. What does this mapping look like? Consider for example the inverter shown in Figure 9. It has an input and an output . If we assume the inverter has a constant positive delay , then a possible trace of the agent in the discrete event model might look like the following:

is the complement of with respect to the

cess networks model is

assuming that . The corresponding trace in the pro

This trace is included in the upper bound computed by . If the agent does not contain a trace for any possible delay , then this trace is not included in the lower bound . In

It is interesting to consider the inverse of this conservative approximation. The inverse mapping corresponds to trying to embed an agent of the process networks model into a discrete event context. Here we must nd agents such that . Because of the particular abstraction we have employed, this occurs whenever the agent has non-deterministic delay. In this case, given a trace , all other traces with the same sequence of events but different delay are included in the set of possible traces of the agent, and therefore retained in the computation of the lower bound. Hence, for every agent in the process network model of computation, there exists an agent in the discrete event model, where has the same behaviors as and chooses non-deterministically the delay of the outputs. Any deterministic implementation of this embedding will therefore have to make an upfront choice regarding the timing of the agent. The functions and that we have just dened certainly constitute an abstraction. However, in this particular case the abstraction does not ensure that the corresponding trace structure in the process network algebra satises the constraints for that model dened in Section V-B involving equation 7. In fact, for each trace in the discrete event model there should correspond several (possibly innitely many) traces in the process network model that include all possible delayed outputs. It is possible to consider only a restricted version of the discrete event trace structures that maps correctly in the detailed process network algebra. To simplify this task, we will take an alternative route and use the abstract process network algebra as an intermediate step. Notice that the abstract process network trace structure algebra requires that agents be monotonic and functional. This requirement must still be satised by the discrete event agent that we want to abstract. An equivalent constraint that can be imposed at the discrete event level is that of receptiveness. Intuitively, a trace structure is receptive if it cant constrain the value of its inputs. The technical denition of receptiveness (see [11]) requires the device of innite games: an agent is receptive if it can always respond to an input with outputs that make the trace one of its possible traces.

18

We can show that if a discrete event agent is both receptive and functional, then it is also monotonic (where the prex order corresponds to the usual prex on sequences). In fact, assume it is not monotonic. Then there are traces and in such that proj proj , but proj proj . But if is receptive, then can be extended to a trace such that proj proj and . By the functionality assumption, . But , a contradiction. Hence must be monotonic. A homomorphism between the discrete event traces and the abstract process network traces is given by the composition of and . The natural extension to sets gives us a mapping on trace structures and a corresponding conservative approximation. An approximation from the discrete event trace structure algebra to the detailed process networks trace structure algebra can now be constructed by taking the composition of the mapping and as shown in Figure 8. B. CT to DE To construct an approximation from the continuous time to the discrete event model of computation we must rst dene the notion of an event at the level of the continuous time traces. Abstraction, in this case, can be done in several ways. One, for example, is to consider an event as the snapshot of the state at certain regular intervals. Another technique consists of abstracting the value domain, and identify an event whenever the signals cross certain discrete thresholds. In this paper we take yet another approach, and identify an event whenever any of the signals changes with respect to its previous value. Here, the notion of previous value must be made precise, since in general there is no immediate predecessor in the continuos real time. In the continuous time model signals may change value simultaneously. In the discrete event model, on the other hand, events are totally ordered, even when they have the same time stamp. Hence, after identifying an event, we must also decide how to order simultaneous events in the same time stamp. Because there is no obvious choice, we map each event in continuous time to the set of all possible orderings in discrete event. This choice implies that for each trace in the continuous time model there correspond several traces in the discrete event model. Consequently, the approach based on the homomorphism on traces outlined in the previous section will not work. To formalize these notions we start from the concept of an event. Intuitively, an event occurs when any of the signals changes value. It is easier, however, to dene the opposite condition, i.e. when all signals are constant. If is a function over the reals, we say that is stable at if and only if there exists an such that is constant on the interval . Recall now the denition of a continuous time trace: We say that a trace is stable on signal at if and only if the function is stable at . We say that a continuous time trace has an event

for signal at whenever is not stable on at . Because at time there is no left interval, we always assume that a trace has an event at time for all signals. To construct a trace in the discrete event model we must create a sequence where each element corresponds to an event for some signal at some time in continuous time. To simplify the task, we introduce two additional, and somewhat more elaborate, trace algebras for the discrete event model. In the rst trace algebra, we construct a sequence by taking the set of reals as an index set, and by mapping the index set to sequences of events that represent the delta cycles for each particular time stamp. An empty sequence of delta cycles denotes the absence of events for the particular time stamp. Formally, we dene the set of possible traces as: where is, as usual, the set of signals, and is the corresponding set of possible values. This formulation clearly includes systems that are not discrete: imagine, for instance, that the sequence corresponding to the delta cycles is non-empty for every . Thus we must further restrict the set of possible traces to only those whose set of non-empty time stamps is discrete, as was discussed in Section V-C. Projection and renaming are dened as expected. Their formal denition gives us the opportunity to introduce a construction theorems that allows one to build new trace algebras from existing ones. In this particular case, note how the set of traces is dened as a function whose range is the set of traces dened in Section V-A for the CSP model. The following theorem proves that when projection and renaming are dened appropriately, the result is always another trace algebra. Theorem 1. Let proj rename be a trace algebra and let be a set. Then the trace algebra such that:

proj rename
is a trace algebra.

proj rename

, In our particular case we let and projection and renaming as dened in Section V-A. Hence for a trace we have proj proj rename rename
A trace structure has again signature and is otherwise obtained as usual as a set of traces. The second trace algebra that we introduce is similar to the one just presented, but without ordering information within a time stamp. Then we build a mapping from each of the new traces to a set of discrete event traces, that contain all possible interleavings of the events.

19

Recall (see above) that traces in the discrete event model of computation are of the form:

VII. C ONCLUSIONS We presented the theoretical foundation of the Metropolis project whose goal is to build an environment where the design of complex systems will be a matter of days versus the many months needed today. All the models of importance reside in a unied framework so that their combination, re-partition and communication happens in the same generic framework and as such may be better understood and optimized. While we realize that today heterogeneous models of computation are a necessity, we believe that this unied approach is possible and will provide a designer a powerful mechanism to actually select the appropriate models of computation, (e.g., FSMs, Data-ow, Discrete-Event, that are positioned in the theoretical framework in a precise order relationship so that their interconnection can be correctly interpreted and rened) for the essential parts of his/her design. We used trace algebra to provide the underlying mathematical machinery. In particular, we showed how to formalize within our framework the natural semantic domain of a model of computation based on continuous time and differential equations. Then we introduced the formalization of the semantic domain for four more commonly used models of computation. In all cases, we followed the same pattern by rst presenting the natural formalization, and then the formalization in terms of trace algebras. For each model of computation we also sketched an example of its typical applications. For each model we have also suggested a particular application in the context of a system similar to the PicoRadio project. In order to understand the behavior and the properties of the entire system, we needed to understand the interplay between the different subsystems. We accomplished this by relating the semantic domains that we have developed in this paper and studied how the different notions of computation t together. We believe that this framework is essential to provide the foundations of an intermediate format that will provide the Metropolis infrastructure with a formal mechanism for interoperability among tools and specication methods. R EFERENCES
[1] [2] The rosetta web site. http://www.sldl.org. F. Balarin, M. Chiodo, P. Giusto, H. Hsieh, A. Jurecska, L. Lavagno, C. Passerone, A. Sangiovanni-Vincentelli, E. Sentovich, K. Suzuki, and B. Tabbara. Hardware-Software Co-Design of Embedded Systems: The Polis Approach. Kluwer Academic Press, June 1997. F. Balarin, L. Lavagno, C. Passerone, A. S. Vincentelli, M. Sgroi, and Y. Watanabe. Modeling and designing heterogeneous systems. In J. Cortadella and A. Yakovlev, editors, Advances in Concurrency and System Design. Springer-Verlag, 2002. J. R. Burch, R. Passerone, and A. Sangiovanni-Vincentelli. Overcoming heterophobia: Modeling concurrency in heterogeneous systems. In M. Koutny and A. Yakovlev, editors, Application of Concurrency to System Design, 2001. J. R. Burch, R. Passerone, and A. Sangiovanni-Vincentelli. Using multiple levels of abstraction in embedded software design. In M. A. Henzinger and C. M. Kirsch, editors, First International Workshop, EMSOFT 2001, volume 2211 of Lecture Notes in Computer Science. Springer-Verlag, 2001. P. Cousot and R. Cousot. Abstract interpretation: a unied lattice model for static analysis of programs by construction or approximation of xpoints. In Conference Record of the Fourth Annual ACM

The ordering information in the sequence of delta cycles can be removed by considering the more abstract set of traces: It is easy to construct a function from to that removes the ordering information. If is of the form , we dene as the trace such that for all

It is easy to show that is well dened, and that it is onto. However is not one-to-one, so that its inverse maps a single trace to a set of traces in . This set of traces corresponds to all possible interleavings of the set of pairs of signals and values, with or without repetitions. It is now easy to dene a function from traces in the continuous time to traces in the discrete event model without ordering. If is a continuous time trace, then as the trace such that for all dene

has an event on signal at time

We can now dene an approximation between the continuous time and the discrete event model based on the functions and . Let be a trace structure in the continuous time model. To build an upper bound we naturally extend the functions and to sets of traces as follows:

A lower bound could be constructed in several ways. Note, however, that without any further constraint the discrete event model can represent continuous functions exactly. In other words, since our mapping on trace structures is actually one-to-one, it does not constitute an abstraction. The obvious choice in this case is therefore to simply have

for all . The key to getting a real abstraction is that of dening exactly the conditions that make the discrete event model discrete. This can be done by replacing the set of reals in the denition of the trace algebra with a different set . The result is a parametrized trace algebra

[3]

[4]

[5]

Depending on the choice of tions are possible.

different kinds of abstrac[6]

20

[7]

[8]

[9]

[10]

[11] [12] [13]

[14]

[15] [16] [17] [18] [19] [20]

SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 238252, Los Angeles, California, 1977. ACM Press, New York, NY. P. Cousot and R. Cousot. Comparing the Galois connection and widening/narrowing approaches to abstract interpretation, invited paper. In M. Bruynooghe and M. Wirsing, editors, Proceedings of the International Workshop Programming Language Implementation and Logic Programming, PLILP 92,, Leuven, Belgium, 1317 August 1992, Lecture Notes in Computer Science 631, pages 269295. Springer-Verlag, Berlin, Germany, 1992. J. L. da Silva Jr., j. Shamberger, M. J. Ammer, C. Guo, S. Li, R. Shah, T. Tuan, M. Sheets, J. M. Rabaey, B. Nikolic, A. L. SangiovanniVincentelli, and P. Wright. Design methodology for picoradio networks. In Proceedings of the Design Automation and Test in Europe, Munich, Germany, March 2001. J. Davis II, M. Goel, C. Hylands, B. Kienhuis, E. A. Lee, J. Liu, X. Liu, L. Muliadi, S. Neuendorffer, J. Reekie, N. Smyth, J. Tsay, and Y. Xiong. Overview of the ptolemy project. ERL Technical Report UCB/ERL No. M99/37, Dept. EECS, University of California, Berkeley, July 1999. J. Davis II, C. Hylands, B. Kienhuis, E. A. Lee, J. Liu, X. Liu, L. Muliadi, S. Neuendorffer, J. Tsay, B. Vogel, and Y. Xiong. Heterogeneous concurrent modeling and design in java. Technical Memorandum UCB/ERL M01/12, EECS, University of California, Berkeley, Mar. 2001. D. L. Dill. Trace Theory for Automatic Hierarchical Verication of Speed-Independent Circuits. ACM Distinguished Dissertations. MIT Press, 1989. S. Edwards, L. Lavagno, E. Lee, and A. Sangiovanni-Vincentelli. Design of embedded systems: Formal models, validation, and synthesis. Proceedings of the IEEE, 85(3):366390, Mar. 1997. T. Henzinger. Masaccio: a formal model for embedded components. In J. van Leeuwen, O. Watanabe, M. Hagiya, P. Mosses, and T. Ito, editors, TCS 00: Theoretical Computer Science, volume 1872 of Lecture Notes in Computer Science, pages 549563. SpringerVerlag, 2000. T. Henzinger, M. Minea, and V. Prabhu. Assume-guarantee reasoning for hierarchical hybrid systems. In M. di Benedetto and A. Sangiovanni-Vincentelli, editors, HSCC 00: Hybrid Systems Computation and Control, volume 2034 of Lecture Notes in Computer Science, pages 275290. Springer-Verlag, 2001. C. A. R. Hoare. Communicating Sequential Processes. International Series in Computer Science. Prentice-Hall, 1985. E. A. Lee and A. L. Sangiovanni-Vincentelli. A framework for comparing models of computation. IEEE Trans. Comput.-Aided Design Integrated Circuits, 17(12):12171229, Dec. 1998. R. Negulescu. Process Spaces and the Formal Verication of Asynchronous Circuits. PhD thesis, University of Waterloo, Canada, 1998. R. Negulescu. Process spaces. In C. Palamidessi, editor, CONCUR, volume 1877 of Lecture Notes in Computer Science. SpringerVerlag, 2000. J. Rabaey, M. Ammer, J. S. jr., D. Patel, and S. Roundy. Picoradio supports ad hoc ultra-low power wireless networking. IEEE Computer Magazine, July 2000. J. Rowson and A. Sangiovanni-Vincentelli. Felix initiative pursues new co-design methodology. Electronic Engineering Times, pages 50, 51, 74, June 1998.