SOS Transition Rules

Having explained the formal description of environments (E, ~), we are ready to explain the first part of the formal semantics, i.e., the SOS transition rules. These SOS transition rules are of the form

hE, ~, Si  h~0, S0, D, ti with the following meaning:

• (E , ~) is the complete environment of the current macro step.

• ~0 is the updated incarnation level function that is obtained by executing local variable declarations in S.

• S0 is the residual statement that has to be executed in the next micro or macro step (depending on the macro step flag t).

• D is a set of pairs (x, v) where x is a variable and v is a value consistent with the type of x. We have to assign the value v to x before starting the next macro step, since v is the value of x in the macro step that has been determined in the current macro step by delayed actions.

• Finally, the boolean value t denotes whether the execution described by the SOS transition rule is instantaneous. Hence, the SOS transition rule describes a micro step if t is true, and a macro step otherwise.

SOS rules for Esterel have been discussed in many papers including [42,248,

253? ] and many equivalent variants exist. For example, some variants differ

in terms of the modeling of trap levels etc. Moreover, the version of SOS rules we consider here determine a residual statement that is executed in the next (micro or macro) step. There are other variants that are based on the ‘haltset encoding’ of the residual statement where only the set of active locations is stored instead of the residual statement. We consider this variant in Section4.5.4.

The SOS transition rules that define the first part of the semantics of Quartz are given in Figures 4.1-4.5. It can be easily proved that for rules hE, ~, Si  h~0_{, S}0_{, D, ti that describe micro steps (i.e., with t = true so that}

Sis instantaneous), the residual statement S0is always nothing. In the follow-

ing, we give some remarks on the rules where we already make use of this invariant:

• The rule for an immediate assignment x = τ requires that x and τ evaluate to the same value in the considered environment (E, ~). Otherwise, the execution is not possible since the environment is not consistent with the statement. Note that this rule does not allow the execution of programs with write conflicts or where a variable would be assigned a value different to the one that is provided by the current environment. For the next micro step, the residual statement nothing is left.

• The rule for delayed assignments simply collects the pair (x,Jτ K

~

E), so that

the value_{Jτ K}~

E can be used to partially determine the environment for the

variable x in the next macro step. As in case of immediate assignments, the residual statement nothing is left to be executed in the next micro step. • assume(σ) checks whether σ holds in the current environment. If this is

the case, then it behaves like nothing, otherwise no execution is possible. Interestingly, assert(σ) has the same SOS rule, so that assume(σ) and assert(σ) share the same operational semantics. However, their meaning is different in terms of verification.

• nothing is always instantaneous and does neither modify the current nor the following environment. Hence, we have ~0_{:= ~, D := {}, and t = true.}

JxK

~ E =Jτ K

~ E

hE, ~, x=τ i  h~, nothing, {}, truei hE, ~, next(x)=τ i  h~, nothing, {(x,Jτ K

~ E)}, truei

JσK

~ E= true

hE, ~, assume(σ)i  h~, nothing, {}, truei JσK

~ E= true

hE, ~, assert(σ)i  h~, nothing, {}, truei hE, ~, nothingi  h~, nothing, {}, truei hE, ~, ` : pausei  h~, nothing, {}, falsei JσK

~

E= trueand hE, ~, S1i  h~1, S10, D1, t1i

hE, ~, if(σ) S1 else S2i  h~1, S10, D1, t1i

JσK

~

E= falseand hE, ~, S2i  h~2, S20, D2, t2i

hE, ~, if(σ) S1 else S2i  h~2, S20, D2, t2i

hE, ~, S1i  h~1, S10, D1, falsei

hE, ~, {S1; S2}i  h~1, {S10; S2}, D1, falsei

hE, ~, S1i  h~1, nothing, D1, truei hE, ~1, S2i  h~2, S02, D2, t2i

hE, ~, {S1; S2}i  h~2, S02, D1∪ D2, t2i

hE, ~, S1i  h~1, S10, D1, t1i hE, ~, S2i  h~2, S20, D2, t2i

hE, ~, {S1k S2}i  hMax(~1, ~2), {S01k S20}, D1∪ D2, t1∧ t2i

hE, ~, Si  h~0, S0, D, falsei

hE, ~, do S while(σ)i  h~0, {S0; while(σ) S}, D, falsei JσK

~ E = false

hE, ~, {while(σ) S}i  h~, nothing, {}, truei JσK

~

E = trueand hE, ~, Si  h~ 0

, S0, D, falsei hE, ~, {while(σ) S}i  h~0

, {S0; while(σ) S}, D, falsei hE, [~]~(x)+1

x , Si  h~

0

, S0, D, ti

hE, ~, {α x; S}i  h~0, S0, {(y, v) ∈ D | x 6= y}, ti

• The rule for `:pause simply states that `:pause does neither modify vari- ables in the current nor in the next macro step. Instead, it terminates the current macro step which is indicated by the termination flag t = false. Moreover, nothing is left to be executed in the next macro step.

• We have two rules for conditionals if(σ) S1 else S2, depending on

whether the condition σ evaluates to true or false. Both rules are straight- forward: depending on_JσK~

E, the condition either behaves exactly like S1

or S2.

• For sequences S1; S2, we consider two cases. In each case, we first execute

S1in the current environment (E, ~). The first rule now considers the case

where the execution of S1 is not instantaneous so that the control flow

gets caught in the residual statement S0

1. In this case, S2 is not started in

the current macro step and the execution in the next macro step executes the sequence S0

1; S2. The updates of the incarnation indices and the set of

delayed actions are the same as for the partial execution of S1.

The second rule considers the case where the execution of S1is instanta-

neous (recall that in this case, the residual statement is nothing by our invariant). For this reason it is sufficient to execute S2in the environment

(E , ~1) in the next micro steps. Clearly, the condition for instantaneous

execution of S1; S2is here the corresponding condition of S2, the final in-

carnation indices are those obtained by the execution of S2and the set of

executed delayed actions is the union of those executed by S1and S2.

• We have listed only one rule for S1 k S2. This rule states that we execute

both S1 and S2 in the environment (E, ~) yielding tuples (~i, Si, Di, ti)

for i ∈ {1, 2}. Clearly, we take the union of the delayed actions, and the condition for instantaneous execution of S1k S2is the conjunction t1∧ t2.

For the remaining statement S0

1k S20, we have to remark that nothing k S02

and S0

1k nothing are both replaced with nothing in order to remove the

parallel statement after termination of at least one thread.

The definition of the final incarnation level function also needs explana- tion: The execution of Siupdates ~ to ~i in that the incarnation levels of

the locally declared variables whose scopes are re-entered during execu- tion of Siare increased according to the number of times these scopes have

been re-entered. Now observe that S1 and S2 can not re-enter the same

local declaration since this would imply that this local variable would have been declared in both substatements. Hence, the updates of S1and S2re-

fer to disjoint sets of local variables. The merge operation for incarnation level functions Max(~1, ~2)is therefore defined as follows for all variables

x:

(Max(~1, ~2))(x) := max({~1(x), ~2(x)})

• The behavior of a do-while loop in the first macro step is defined as the execution of its body statement. However, when the remaining statement S0 will finally terminate, we have to check whether another iteration of

the loop has to be executed. This is conveniently done by adding a while- loop as a sequence to S0. However, this makes it necessary to also list SOS transition rules for while-loops, even though we do not view these as core statements.

• For the execution of while-loops, we first evaluate the loop condition σ. Depending on whether σ holds or not, the loop behaves as nothing or as its loop body. In the latter case, another iteration may follow when the remainder S0 _{terminates, and therefore, we add a sequence with the}

while-loop.

Note that this rules yields a problem for formal reasoning about the SOS rules since the definition of the semantics of while(σ) S by the larger statement {S0_{;while(σ) S} contradicts a well-founded ordering along}

the syntax trees [224]. Instead, the SOS rules provide an operational se- mantics where a potentially infinite execution is defined and the progress is obtained on the micro steps that determine this infinite execution. Con- sidering infinite traces would require more sophisticated induction tech- niques like co-induction. To simplify matters, the alternative approach by means of control flow predicates has been chosen to describe the seman- tics in [223] which has been proved to be equivalent to the SOS rules [224].

• The rule for executing a local declaration {α x; S} first increases the incar- nation level of x so that the updated incarnation level function [~]~(x)+1

x is

obtained from ~. In this new environment, we execute the body statement Sof the local declaration which may furthermore update the incarnation level function to ~0_{. Note that the updated incarnation level function ~}0_has

to be used for further execution so that a further re-entering of {α x; S} considers a higher scope. Note further that we remove all delayed actions on the locally declared variable x since they do no longer exist after leav- ing the scope.

• Figure4.2shows the SOS rules for the four versions of the abortion state- ment. Since the delayed variants are not active in the first macro step, we simply execute their body statement. If this immediately terminates, the abortion statement is simply ignored, otherwise, we embed the remaining statement S0 _{in a weak or strong immediate abortion context so that the}

abortion will be checked in all of the further macro steps.

Hence, it remains to explain the immediate abortion statements. If no abortion takes place, we consider the two cases as described for the de- layed abortion, i.e., if the body statement instantaneously terminates, then the entire statement behaves as the body statement, and otherwise, we embed the remaining statement S0_{in the corresponding abortion context.}

Finally, if the abortion of an immediate abortion statement takes place, we have to distinguish between the strong and the weak abortion. In case of strong abortion, the entire statement behaves as nothing, i.e., no actions of the body statement S are executed. Instead, a weak abortion statement first executes its body statement S thus yielding a tuple (~0_{, S}0_{, D, t). As the}

hE, ~, Si  h~0, nothing, D, truei hE, ~, abort S when(σ)i  h~0, nothing, D, truei

hE, ~, Si  h~0, S0, D, falsei hE, ~, abort S when(σ)i  h~0,

 immediate abort S0 when(σ)  , D, falsei JσK ~ E = true hE, ~,  immediate abort S when(σ)  i  h~, nothing, {}, truei JσK ~

E= falseand hE, ~, Si  h~ 0 , nothing, D, truei hE, ~,  immediate abortS when(σ)  i  h~0, nothing, D, truei JσK ~

E = falseand hE, ~, Si  h~ 0 , S0, D, falsei hE, ~,  immediate abort S when(σ)  i  h~0,  immediate abort S0 when(σ)  , D, falsei hE, ~, Si  h~0 , nothing, D, truei hE, ~,  weak abort S when(σ)  i  h~0 , nothing, D, truei hE, ~, Si  h~0 , S0, D, falsei hE, ~,  weak abort S when(σ)  i  h~0 , 

weak immediate abort S0 when(σ)



, D, falsei

JσK

~

E= trueand hE, ~, Si  h~ 0

, S0, D, ti hE, ~,



weak immediate abort S when(σ)  i  h~0 , nothing, D, truei JσK ~

E= falseand hE, ~, Si  h~ 0

, nothing, D, truei hE, ~,



weak immediate abort S when(σ)  i  h~0 , nothing, D, truei JσK ~

E = falseand hE, ~, Si  h~ 0

, S0, D, falsei hE, ~,



weak immediate abort S when(σ)

 i  h~0

, 

weak immediate abort S0 when(σ)



, D, falsei

hE, ~, Si  h~0, nothing, D, truei

hE, ~, suspend S when(σ)i  h~0, nothing, D, truei hE, ~, Si  h~0, S0, D, falsei

hE, ~, suspend S when(σ)i  h~0,  immediate suspend S0 when(σ)  , D, falsei JσK ~ E = true hE, ~,  immediate suspend S when(σ)  i  h~,  immediate suspend S when(σ)  , {}, falsei JσK ~

E= falseand hE, ~, Si  h~ 0 , nothing, D, truei hE, ~,  immediate suspend S when(σ)  i  h~0, nothing, D, truei JσK ~

E= falseand hE, ~, Si  h~ 0 , S0, D, falsei hE, ~,  immediate suspend S when(σ)  i  h~0,  immediate suspend S0 when(σ)  , D, falsei hE, ~, Si  h~0 , nothing, D, truei hE, ~,  weak suspend S when(σ)  i  h~0 , nothing, D, truei hE, ~, Si  h~0 , S0, D, falsei hE, ~,  weak suspend S when(σ)  i  h~0 , 

weak immediate suspend S0 when(σ)



, D, falsei

JσK

~

E = trueand hE, ~, Si  h~ 0 , S0, D, ti hE, ~,  weak immediatesuspend S when(σ)  i  h~, 

weak immediate suspend S when(σ)



, D, falsei

JσK

~

E= falseand hE, ~, Si  h~ 0

, nothing, D, truei hE, ~,



weak immediate suspend S when(σ)  i  h~0 , nothing, D, truei JσK ~

E = falseand hE, ~, Si  h~ 0

, S0, D, falsei hE, ~,



weak immediate suspend S when(σ)

 i  h~0

, 

weak immediate suspend S0 when(σ)



, D, falsei

abortion takes place, we ignore S0 _{and t and replace them with nothing}

and true, respectively. In contrast to the strong abortion, we retain D since a weak abortion statement allows the execution of the actions of its body that would have been executed without the abortion.

• Figure4.3 shows the SOS rules for the four versions of the suspension statement. The explanations of the delayed suspension statements are the same as in case of the abortion statements. For the immediate suspension statements, the cases where no suspension takes place are also explained as in case of the abortion statements.

Hence, it remains to explain the two rules for immediate suspension when the suspension condition σ holds. Both versions of the immediate suspen- sion statement do then not instantaneously terminate. For this reason, they are also able to hold the control flow similar to pause statements (in fact, pause can be defined in terms of immediate suspension, as we already have mentioned). A strong suspension statement does not modify the cur- rent output variables, while a weak suspension statement allows the exe- cution of the actions of its body statement as if no suspension would take place. In both cases, the current statement is also the remaining statement to be executed in the next macro step.

hE, ~, S1i  h~0, nothing, D, truei

hE, ~, during S1 do S2i  h~0, nothing, D, truei

hE, ~, S1i  h~0, S10, D, falsei

hE, ~, during S1 do S2i  h~0, during S10 do S2, D, truei

hE, ~, S1i  h~0, nothing, D, truei

hE, ~, during S1 do S2i  h~0, nothing, D, truei

hE, ~, S1i  h~0, S10, D1, falsei hE, ~, S2i  hnothing, ~00, S02, D2itrue

hE, ~, during S0

1 do S2i  h~0, S10, D1∪ D2, falsei

Fig. 4.4. SOS Transition Rules (Part IV)

• Finally, Figure4.5presents the SOS transition rules for the during state- ment. If S1 is instantaneous, then during S1 do S2 simply behaves like

S1, i.e., S2 is not executed. In case S1is not instantaneous, we make use

of a pseudo-statement during S1 do S2which may be viewed as an im-

mediate form of during S1 do S2: While during S1 do S2does not ex-

ecute S2 at starting time, during S1 do S2 does so provided that S1 is

not instantaneous at that point of time. Hence, if S1is not instantaneous,

and leaves a residual S0

1 to be executed in the next macro step, then

the residual during S1 do S2 for the next macro step. It therefore re-

mains to define the semantics of during S1 do S2, which is given by the

last two rules of Figure4.5: In case S1is instantaneous, during S1 do S2

behaves like S1 (and therefore like during S1 do S2). Otherwise, S2

is also executed and its actions are added to the actions executed by during S1 do S2. Note that the final rule demands that the execution

of S2must be instantaneous.

JxK

~ E= true

hE, ~, emit x;i  h~, nothing, {}, truei hE, ~, emit next(x);i  h~, nothing, {(x, true)}, truei

hE, ~, `:halti  h~, `:halt, {}, falsei

hE, ~, `:await(σ)i  h~, `:immediate await(σ), {}, falsei JσK

~ E = false

hE, ~, `:immediate await(σ)i  h~, `:immediate await(σ), {}, falsei JσK

~ E= true

hE, ~, `:immediate await(σ)i  h~, nothing, {}, truei hE, ~, Si  h~0

, S0, D, falsei hE, ~, loop Si  h~0

, {S0;loop S}, D, falsei

Fig. 4.5. Derived SOS Transition Rules for Some Macro Statements

The SOS transition rules can already be used to prove what the behavior of statements within a complete environment. In particular, we can use the def- initions of the macro statements to derive the corresponding SOS transition rules of the macro statements. For example, Figure 4.5lists some transition rules of the simple macro definitions.

Moreover, we can use the SOS transition rules to prove the equivalence of statements. Let us consider a few simple examples:

• We defined halt as do pause; while(true). Instead, we could also de-

fine it by loop pause; or while(true) pause;, since the latter lead to the same SOS transition rules.

• We already remarked that pause can be defined by an immediate suspend

statement. This can now be formally proved in that the considered suspen- sion statement leads to the same SOS transition rule. To this end, consider first the following application of the SOS transition rules:

JtrueKE = true

In document The Synchronous Programming Language Quartz (Page 94-103)