Executions

We define executions of anesmoresm-skAby first choosing an_{interpretation}I. An inter- pretationImust satisfy the following: (1)Imaps each functionf ∈F\Uto its predefined or nominal interpretation, and (2)Imaps each functionf_u ∈Uto some valid interpretation. Given the set of state variables V ofA, a valuation σmaps each each variablev ∈ V to a value of the appropriate type,σ(v). Let SV be the set of all such valuations, given a set of

variablesV. Given a valuationσ∈S_V, a variablex /∈Vand a valuev_x∈typeof(x), we write

σ[x7→v_x]∈S_V∪{x}to denote the valuation that maps all variablesy6=xtoσ(y)and mapsx tovx.

Astateof anesmoresm-skAis defined as a pair(l,σ), wherel∈Landσ∈SV. Given

a transitionr ∈ R, ofA, of the formr _, hl,m,guard,updates,l0i, and an interpretationI, we say thatris_enabledwith respect toIat a state(p,σ), if and only if (1) substituting each variablev∈Vwithσ(v)in the expression forguardresults in the guard being equivalent to true, and (2)p=l. Note that given an interpretationI, the expressionguarddefines a set of valuations where the transitionris enabled. We write [[guard,I]] to denote this set. Similarly, given the interpretationI,updatesdefines a function:

• [[updates,I]] :S_V →S_V∪{m

p}, ifris an output transition; heremp∈/ Vis a variable that represents the payload of the outgoing messagemand has typemtype(m).

• [[updates,I]] :S_V∪{mp} → S_V, ifris an input transition; herem_p ∈/ V is a variable that represents the payload of the incoming messagemand has typemtype(m).

• [[updates,I]] :SV →SV, ifris an internal transition.

We define anexecutionofA, under an interpretationIby describing the sequence of states

• (l,σ) m?vm

−−−−→ (l0,σ0) if and only ifAhas an_inputtransitionr ∈ R_i, which has the form r_,hl,m,guard,updates,l0i,σ∈ [[guard,I]], and [[updates,I]] (σ[m_p7→v_m])≡σ0. • (l,σ) m!vm

−−−−→ (l0,σ0)if and only ifAhas an_outputtransitionr ∈R_o, which has the form r_,hl,m,guard,updates,l0i,σ∈ [[guard,I]], and [[updates,I]] (σ)≡σ0[mp7→vm].

• (l,σ) _−→ (l0,σ0) if and only if Ahas an _internaltransition r ∈ R, which has the form

r_,hl,m,guard,updates,l0i,σ∈ [[guard,I]], and [[updates,I]] (σ)≡σ0.

For notational convenience we write(l,σ) → (l0,σ0) if (1) there existmandvmsuch that

(l,σ0) m?vm

−−−−→ (l0,σ0), or (2) there exist m and vm such that (l,σ) −m−−−!v→m (l0,σ0), or (3)

(l,σ)_−→ (l0,σ0). Further, given a named transitiont_,hl,m,guard,updates,l0i, we also write (l,σ)_−→t (l0,σ0), to denote(l,σ) m?vm

−−−−→(l0,σ0), or(l,σ) m!vm

−−−−→(l0,σ0), or(l,σ)_−→ (l0,σ0)if

t∈Ri,t∈Ro, ort∈Rrespectively.

An executione of anesmoresm-skAunder an interpretationIis thus a sequence of the following form: e _,(l₀,σ₀)→ (l₁,σ₁)→ · · · → (l_n,σ_n) → · · ·, where for everyj _>0,

(l_j,σ_j)is a state ofA,(l₀,σ₀)is an initial state ofA, and for everyj_>0,(l_j,σ_j)→(l_j+1,σ_j+1). An execution may be finite or infinite.

A state(l,σ)of anesmoresm-skAis_reachableunder an interpretationIif and only ifA has a finite execution of the form(l₀,σ₀)→(l₁,σ₁)→ · · · →(l,σ), underI. A state(l,σ)ofA is calleddeadlockedunder an interpretationIif and only if there does not exist a state(l0,σ0)

such that(l,σ) →(l0,σ0). In other words, no transitions ofAare enabled in a deadlocked state. Anesmoresm-skAis called_{deterministic}under an interpretationIif for every state s= (l,σ)ofA, if it is the case that there are multiple transitions enabled in states, then each of them is an input transition and each of them corresponds to the receipt of adistinctmessage.

Lastly, an infinite executione_,(l₀,σ₀)→(l₁,σ₁)→ · · · of anesmoresm-skA, under an interpretationIis called afairexecution if and only if both of the following hold:

1. For eachF∈Fw, if there exists aksuch that for alli>k, some transitiont0∈Fis enabled

at state(l_i,σ_i)ineunderIthen there existsj_>k, such that(l_k,σ_k)_−→t (l_k+1,σ_k+1)is a step ine, wheret∈F. Informally, if some transition inF∈F_wis enabled at every point in an executioneunder an interpretationIafter a finite prefix ofe, then some transition inF must be taken in the infinite suffix of the executione.

2. For each F ∈ Fs, if there exist infinitely manyi in such that some transitiont0 ∈ F is

enabled at state(l_i,σ_i)ine, underI, then there must also exist infinitely manyj such that(l_j,σ_j) _−→t (l_j+1,σ_j+1) is a step ine, wheret ∈F. Informally, if some transition in

F∈F_wis enabled infinitely often in an executione, under an interpretationI, then some transition inFmust also be executed infinitely often in the executione.