# A Memory-Bounded, Deterministic and Terminating Semantics for the Synchronous Programming Language Céu

Anonymous Author(s)

# **Abstract**

CÉU is a synchronous programming language for embedded soft real-time systems. It focus on control-flow safety features, such as safe shared-memory concurrency and safe abortion of lines of execution, while enforcing memory-bounded, deterministic, and terminating reactions to the environment. In this work, we present a small-step structural operational semantics for CÉU and a proof that reactions have the properties enumerated above: that for a given arbitrary timeline of input events, multiple executions of the same program always react in bounded time and arrive at the same final finite memory state.

CCS Concepts • Theory of computation  $\rightarrow$  Operational semantics; • Software and its engineering  $\rightarrow$  Concurrent programming languages; • Computer systems organization  $\rightarrow$  Embedded software;

**Keywords** Operational semantics, CÉU, Synchronous languages

## **ACM Reference Format:**

Anonymous Author(s). 1997. A Memory-Bounded, Deterministic and Terminating Semantics for the Synchronous Programming Language Céu. In *Proceedings of ACM Woodstock conference (WOOD-STOCK'97)*. ACM, New York, NY, USA, 13 pages. https://doi.org/10.475/123\_4

## 1 Introduction

CÉU [19, 21] is a Esterel-based [9] programming language for embedded soft real-time systems that aims to offer a concurrent, safe, and expressive alternative to C with the characteristics that follow:

Reactive: code only executes in reactions to events.

Structured: programs use structured control mechanisms, such as await (to suspend a line of execution), and par (to combine multiple lines of execution).

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s).

*WOODSTOCK'97, July 1997, El Paso, Texas USA* © 2016 Copyright held by the owner/author(s). ACM ISBN 123-4567-24-567/08/06...\$15.00 https://doi.org/10.475/123\_4

**Synchronous:** reactions run atomically and to completion on each line of execution, i.e., there's no implicit preemption or real parallelism.

Structured reactive programming lets developers write code in direct style, recovering from the inversion of control imposed by event-driven execution [1, 16, 18]. Synchronous languages offer a simple run-to-completion execution model that enables deterministic execution and make formal reasoning tractable. For this reason, it has been successfully adopted in safety-critical real-time embedded systems [3].

Previous work in the context of embedded sensor networks evaluates the expressiveness of Céu in comparison to event-driven code in C and attests a reduction in source code size (around 25%) with a small increase in memory usage (around 5–10% for *text* and *data*) [21]. Céu has also been used in the context of multimedia systems [22] and games [20].

CÉU inherits the synchronous and imperative mindset of Esterel but adopts a simpler semantics with fine-grained execution control [19]. The list that follows summarizes the semantic peculiarities of CÉU:

- Fine-grained, intra-reaction deterministic execution, which makes CÉU fully deterministic.
- Stack-based execution for internal events, which provides a limited but memory-bounded form of subroutines.
- Finalization mechanism for lines of execution, which makes abortion safe with regards to external resources.

In this work, we present a formal small-step structural operational semantics for Céu and proofs that it enforces memory-bounded, deterministic, and terminating reactions to the environment, i.e., that for a given arbitrary timeline of input events, multiple executions of the same program always react in bounded time and arrive at the same final finite memory state.

### 2 Céu

CÉU is a synchronous reactive language in which programs advance in a sequence of discrete reactions to external events. It is designed for control-intensive applications, supporting concurrent lines of execution, known as *trails*, and instantaneous broadcast communication through events. Computations within a reaction (such as expressions, assignments, and system calls) are also instantaneous considering the synchronous hypothesis [10]. CÉU provides an await statement

112

113

114

115

116

117

118

119

120

121

122

123

124

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

167

169

171

172

173

175

177

178

179

180

181

182

184

185

186

187

188

190

191

192

194

195

196

198

200

201

202

203

205

206

207

208

209

211

212

213

214

215

216

217

218

219

220

that blocks the current running trail allowing the program to advance its other trails; when all trails are blocked, the reaction terminates and control returns to the environment.

In Céu, every execution path within loops must contain at least one await statement to an external input event [6, 21]. This restriction, which is statically checked by the compiler, ensures that every reaction runs in bounded time, eventually terminating with all trails blocked in await statements. Céu has an additional restriction, which it shares with Esterel and synchronous languages in general [4]: computations that take a non-negligible time to run (e.g., cryptography or image processing algorithms) violate the zero-delay hypothesis, and thus cannot be directly implemented.

Listing 1 shows a compact reference of Céu:

```
125
           // Declarations
126
           input \langle type \rangle \langle id \rangle;
                                                     // declares an external input event
127
           event \langle type \rangle \langle id \rangle;
                                                    // declares an internal event
128
                     \langle type \rangle \langle id \rangle;
                                                     // declares a variable
129
           // Event handling
130
           \langle id \rangle = await \langle id \rangle;
                                                    // awaits an event and assigns the received value
131
           emit \langle id \rangle (\langle exp \rangle);
                                                    // emits an event passing a value
132
133
           // Control flow
           \langle stmt \rangle; \langle stmt \rangle
                                                                                 // sequence
134
           if \langle \mathit{exp} \rangle then \langle \mathit{stmts} \rangle else \langle \mathit{stmts} \rangle end
                                                                                 // conditional
135
           loop do (stmts) end
                                                                                  // repetition
136
           every \langle id \rangle in \langle id \rangle do \langle stmts \rangle end
                                                                                  // event iteration
137
           finalize [\langle stmts \rangle] with \langle stmts \rangle end
                                                                                  // finalization
           // Logical parallelism
139
           par/or do \(\stmts\) with \(\stmts\) end \(//\) aborts when any side ends
140
           par/and do \langle stmts \rangle with \langle stmts \rangle end
                                                                       // terminates when all sides ends
141
                        do (stmts) with (stmts) end // never terminates
142
143
           // Assignment & Integration with C
           \langle id \rangle = \langle exp \rangle;
                                                    // assigns a value to a variable
144
                                                    // calls a C function (id starts with '_')
           _{\langle id \rangle (\langle exps \rangle)}
```

Listing 1. The concrete syntax of Céu.

Listing 2 shows a complete example in Céu that toggles a LED whenever a radio packet is received, terminating with a button press always with the LED off. The implementation first declares the BUTTON and RADIO\_RECV as input events (ln. 1-2). Then, it uses a par/or composition to run two activities in parallel: a single statement that waits for a button press before terminating (ln. 4), and an endless loop that toggles the LED on and off on radio receives (ln. 9-14). The finalize clause (ln. 6-8) ensures that, no matter how its enclosing trail terminates, the LED will be unconditionally turned off (ln. 7).

The par/or composition, which stands for a *parallel-or*, provides an orthogonal abortion mechanism [4] in which its composed trails do not know when and how they are aborted (i.e., abortion is external to them). The finalization mechanism extends orthogonal abortion to also work with activities that use stateful resources from the environment

(such as files and network handlers), as we discuss in Section 2.3.

```
1 input void BUTTON;
2 input void RADIO_RECV;
3 par/or do
       await BUTTON;
5 with
       finalize with
6
7
           led(0):
8
9
       loop do
10
           _led(1);
           await RADIO_RECV;
11
12
           _led(0);
13
           await RADIO_RECV;
14
       end
15 end
```

Listing 2. A program in Céu that toggles a LED on every radio receive, terminating on a button press in a consistent

In Céu, any identifier prefixed with an underscore (e.g., \_led) is passed unchanged to the underlying C compiler. Therefore, access to C is straightforward and syntactically traceable. To ensure that programs operate under the synchronous hypothesis, the compiler environment should only provide access to C operations that can be assumed to be instantaneous, such as non-blocking I/O and simple accesses to data structures.

#### 2.1 External and Internal Events

Céu defines time as a discrete sequence of reactions to unique external input events. External input events are received from the environment, and each delimits a new logical unit of time that triggers an associated reaction. The life-cycle of a program in Céu can be summarized as follows [21]:

- i The program initiates a "boot reaction" in a single trail (parallel constructs may create new trails).
- ii Active trails execute until they await or terminate, one after another. This step is called a reaction chain, and always runs in bounded time.
- iii When all trails are blocked, the program goes idle and the environment takes control.
- iv On the occurrence of a new external input event, the environment awakes all trails awaiting that event, and the program goes back to step (ii).

A program must react to an event completely before handling the next one. By the synchronous hypothesis, the time the program spends in step (ii) is conceptually zero (in practice, negligible). Hence, from the point of view of the environment, the program is always idle on step (iii). In practice, if a new external input event occurs while a reaction executes, the event is saved on a queue, which effectively schedules it to be processed in a subsequent reaction.

#### External events and discrete time

The sequential processing of external input events induces a discrete notion of time in Céu, as illustrated in Figure 1. The continuous timeline shows an absolute reference clock with "physical timestamps" for the event occurrences (e.g., event C occurs at 17ms521us). The discrete timeline shows how the same occurring events fit in the logical notion of time of Céu. The boot reaction boot–0 happens before any input, at program startup. Event A "physically" occurs during boot–0 but, because time is discrete, its corresponding reaction only executes afterwards, at logical instant A–1. Similarly, event B occurs during A–1 and its reaction is postponed to execute at B–2. Event C also occurs during A–1 but its reaction must also wait for B–2 to execute and so it is postponed to execute at C–3. Finally, event D occurs during an idle period and can start immediately at D–4.

Unique input events imply mutually exclusive reactions, which execute atomically and never overlap. Automatic mutual exclusion is a prerequisite for deterministic reactions as we discuss in Section 3.

In practice, the synchronous hypothesis for Céu holds if reactions execute faster than the rate of incoming input events. Otherwise, the program would continuously accumulate delays between physical occurrences and actual reactions for the input events. Considering the context soft real-time systems, such delays and postponed reactions might be tolerated as long as they are infrequent and the application does not take too long to catch up with real time. Note that the synchronous semantics is the norm in typical event-driven systems, such as event dispatching in UI toolkits, game loops in game engines, and clock ticks in embedded systems.

#### Internal events as subroutines

In CÉU, queue-based processing of events applies only to external input events, i.e., events submitted to the program by the environment. Internal events, which are events generated internally by the program via emit statements, are processed in a stack-based manner. Internal events provide a fine-grained execution control, and, because of their stack-based processing, can be used to implement a limited form of subroutines, as illustrated in Listing 3:



**Figure 1.** The discrete notion of time in Céu.

```
1 event int* inc;
                              // declares subroutine "inc"
2 par/or do
       var int* p:
       every p in inc do
                              // implements "inc" through an event iterator
4
            *p = *p + 1;
6
       end
7 with
       var int v = 1;
8
                              // calls "inc"
9
       emit inc(&v):
10
       emit inc(&v);
                              // calls "inc"
11
       _assert(v==3);
                              // asserts result after the two returns
12 end
```

**Listing 3.** A Céu program with a "subroutine".

In the example, the "subroutine" inc is defined as an event iterator (ln. 4–6) that continuously awaits its identifying event (ln. 4), and increments the value passed by reference (ln. 5). A trail in parallel (ln. 8–11) invokes the subroutine through two consecutive emit statements (ln. 9–10). Given the stack-based execution for internal events, as the first emit executes, the calling trail pauses (ln. 9), the subroutine awakes (ln. 4), runs its body (yielding v=2), iterates, and awaits the next "call" (ln. 4, again). Only after this sequence does the calling trail resumes (ln. 9), makes a new invocation (ln. 10), and passes the assertion test (ln. 11).

Cfu also supports nested emit invocations, e.g., the body of the subroutine inc (ln. 5) could emit an event targeting another subroutine, creating a new level in the stack. We can think of the stack as a record of the nested, fine-grained internal reactions that happen inside the same outer reaction to a single external event.

This form of subroutines has a significant limitation though: it cannot express recursion, since an emit to itself is always ignored as a running trail cannot be waiting on itself. That being said, it is this very limitation that brings important safety properties to subroutines. First, they are guaranteed to react in bounded time. Second, memory for locals is also bounded, not requiring data stacks.

At first sight, event iteration such as in "every e do <...> end" seems to be equivalent to "loop do await e; <...> end". However, the loop variation would not compile because it does not contain a path to an external input await (e is an internal event). However, event iterators enforce syntactic restrictions and cannot contain await or break statements. The absence of break guarantees that an iterator never terminates from itself, essentially behaving as a safe blocking point in the program. For this reason, the restriction that execution paths within loops must contain at least one external await is extended to alternatively contain an every statement.

## 2.2 Shared-Memory Concurrency

Embedded applications make extensive use of global memory and shared resources, such as through memory-mapped

registers and system calls to device drivers. Hence, an important goal of Céu is to ensure a reliable behavior for programs with concurrent lines of execution sharing memory and interacting with the environment.

```
input void A;
                             input void A;
input void B;
                             // (empty line)
                         2
var int x = 1;
                         3
                             var int y = 1;
par/and do
                             par/and do
                         4
    await A;
                                 await A;
                         5
    x = x + 1;
                                 y = y + 1;
                         6
with
                             with
                         7
    await B;
                                  await A;
                         8
    x = x * 2;
                                   = y * 2;
                         9
end
                             end
```

[a] Accesses to x are never concurrent.

[b] Accesses to y are concurrent but deterministic.

**Figure 2.** Shared-memory concurrency in CÉU: example [a] is safe because the trails access x atomically in different reactions; example [b] is unsafe because both trails access y in the same reaction.

In CÉU, when multiple trails are active during the same reaction, they are scheduled in lexical order, i.e., in the order they appear in the program source code. For instance, consider the two examples in Figure 2, both defining shared variables (ln. 3), and assigning to them in parallel trails (ln. 6, 9).

In the example [a], the two assignments to x can only execute in reactions to different events A and B, which cannot occur simultaneously by definition (Section 2.1). Hence, for the sequence of events A->B, x becomes 4 ((1+1)\*2), while for B->A, x becomes 3 ((1\*2)\*1).

In the example [b], the two assignments to y are simultaneous because they execute in reaction to the same event A. Since Céu employs lexical order for intra-reaction statements, the execution is still deterministic, and y always becomes 4 ((1+1)\*2). However, note that an apparently innocuous change in the order of trails modifies the behavior of the program. To mitigate this threat, Céu performs concurrency checks at compile time to detect conflicting accesses to shared variables: if a variable is written in a trail segment, then a concurrent trail segment cannot read or write to that variable [21]. Nonetheless, the static checks are optional and are not a prerequisite for the deterministic semantics of the language.

## 2.3 Abortion and Finalization

The par/or of Céu is an orthogonal abortion mechanism because the two sides in the composition need not be tweaked with synchronization primitives or state variables in order to affect each other. In addition, abortion is *immediate* in the sense that it executes atomically in the current micro reaction.

```
par/or do
par/or do
   var _msg_t msg;
                          2
                                  var _FILE* f;
   <...> // prepare msg 3
                                  finalize
                                     f = fopen(...);
   finalize
                                  with
       _send(&msg);
                          5
   with
                                     _fclose(f);
                          6
       _cancel(&msg);
                                  end
                                  _fwrite(..., f);
   await SEND_ACK;
                                  await A;
                          9
with
                                  _fwrite(..., f);
                          10
                              with
   <...>
                          11
end
                                  <...>
                          12
//
                          13
                              end
    [a] Local resource
                          [b] External resource finalization
        finalization
```

**Figure 3.** Céu enforces the use of finalization to prevent *dangling pointers* for local resources and *memory leaks* for external resources.

Immediate orthogonal abortion is a distinctive feature of synchronous languages and cannot be expressed effectively in traditional (asynchronous) multi-threaded languages [4, 17].

However, aborting lines of execution that deal with external resources may lead to inconsistencies. For this reason, Céu provides a finalize construct to unconditionally execute a series of statements even if the enclosing block is externally aborted.

Céu also enforces the use of finalize for system calls that deal with pointers representing resources, as illustrated in the two examples of Figure 3:

- If CÉU passes a pointer to a system call (ln. [a]:5), the pointer represents a local resource (ln. [a]:2) that requires finalization (ln. [a]:7).
- If CÉU **receives** a pointer from a system call return (ln. [b]:4), the pointer represents an **external** resource (ln. [b]:2) that requires finalization (ln. [b]:6).

CÉU tracks the interaction of system calls with pointers and requires finalization clauses to accompany them. In the example in Figure 3.a, the local variable msg (ln. 2) is an internal resource passed as a pointer to \_send (ln. 5), which is an asynchronous call that transmits the buffer in the background. If the block aborts (ln. 11) before receiving an acknowledge from the environment (ln. 9), the local msg goes out of scope and the external transmission now holds a *dangling pointer*. The finalization ensures that the transmission also aborts (ln. 7). In the example in Figure 3.b, the call to \_fopen (ln. 4) returns an external file resource as a pointer. If the block aborts (ln. 12) during the await A (ln. 9), the file remains open as a *memory leak*. The finalization ensures that the

file closes properly (ln. 6). In both cases, the code does not compile without the finalize construct. $^1$ 

The finalization mechanism of Céu is fundamental to preserve the orthogonality of the par/or construct since the clean up code is encapsulated in the aborted trail itself.

## 3 Formal Semantics

In this section, we introduce a reduced syntax for Céu and propose an operational semantics to formally describe the behavior of its programs. We describe a small synchronous kernel highlighting the peculiarities of Céu, in particular, the stack-based execution for internal events. For the sake of simplicity, we focus on the control aspects of the language, leaving out side-effects and system calls (which behave like in conventional imperative languages).

# 3.1 Abstract Syntax

The grammar below defines the syntax of a subset of Céu that is sufficient to describe all semantic peculiarities of the language.

```
p := mem(id)
                                     any memory access to "id"
    \mid await_{ext}(id)
                                    await external event "id"
     await_{int}(id)
                                     await internal event "id"
      emit_{int}(id)
                                    emit internal event "id"
     break
                                    loop escape
    | if mem(id) then p_1 else p_2
                                     conditional
     p_1; p_2
                                     sequence
    | loop p_1
                                     repetition
    | every id p_1
                                     event iteration
                                    par/and
    | p_1 \text{ and } p_2 |
                                    par/or
     p_2 or p_2
    | finp
                                     finalization
     p_1 @loop p_2
                                     unwinded loop
     p_1 @and p_2
                                     unwinded par/and
                                     unwinded par/or
    p_1 @or p_2
     @canrun(n)
                                     can run on stack level n
     @nop
                                     terminated program
```

The mem(id) primitive represents all accesses, assignments, and system calls that affect a memory location identified by id. According to the synchronous hypothesis of Céu, mem expressions are considered to be atomic and instantaneous. As the challenging parts of Céu reside on its control structures, we are not concerned here with a precise semantics for side effects, but only with their occurrences in programs.

We assume that mem, await $_{ext}$ , and await $_{int}$  and emit $_{int}$  expressions do not share identifiers: any identifier is either a variable, an external event, or an internal event.

Most expressions in the abstract language are mapped to their counterparts in the concrete language. The exceptions are the finalization block fin p and the @-expressions,

which are internal expressions that result from the expansion of awaits, emits, and loops by the transition rules to be discussed

Regarding other mismatches between the concrete and abstract languages, the concrete await and emit primitives support communication of values between them, e.g., an "emit a(10)" awakes a "v=await a" setting variable v to 10. To reproduce this functionality in the formal semantics, we can use a shared variable to hold the value of an emitint and access it after the corresponding await int. Also, a "finalize A with B end; C" in the concrete language is equivalent to "A; ((fin B) or C)" in the abstract language. In the concrete language, A and C execute in sequence, and the finalization code B is implicitly suspended waiting for C termination. In the abstract language, "fin B" suspends forever when reached (it is an awaiting expression that never awakes). Hence, we need an explicit or to execute *C* in parallel, whose termination aborts "fin B", which finally causes B to execute (by the semantic rules to be discussed).

## 3.2 Operational Semantics

The core of our semantics describes how a program reacts to a single external input event, i.e., starting from an input event, how the program behaves and becomes idle again to proceed to a subsequent reaction. We use a set of small-step operational rules, which are built in such a way that at most one transition is possible at any time, resulting in deterministic reactions. The transition rules map a triple with a program p, a stack level n, and an emitted event e to a modified triple as follows:

$$\langle p, n, e \rangle \longrightarrow \langle p', n', e' \rangle$$
,

where  $p, p' \in P$  are abstract-language programs,  $n, n' \in N$  are nonnegative integers representing the current stack level, and  $e, e' \in E \cup \{\varepsilon\}$  are the events emitted before and after the transition (both possibly the empty event  $\varepsilon$ ).

We will refer to the triples on the left-hand and right-hand sides of symbol  $\rightarrow$  as *descriptions* (denoted  $\delta$ ). The triple on the left-hand side of symbol  $\rightarrow$  is called the *input description*, and the triple on its right-hand side is called the *output description*.

At the beginning of a reaction to an input event id, the input description is initialized with stack level 0 (n = 0) and with the emitted event (e = id). At the end of a reaction, after an arbitrary but finite number of transitions, the last output description will block with a (possibly) modified program p', at stack level 0, and with no event emitted ( $\varepsilon$ ):

$$\langle p, 0, e \rangle \xrightarrow{*} \langle p', 0, \varepsilon \rangle$$
.

We distinguish between two types of transition rules: *outermost transitions*  $\xrightarrow{out}$  and *nested transitions*  $\xrightarrow{nst}$ .

<sup>&</sup>lt;sup>1</sup> The compiler only forces the programmer to write the finalization clause, but cannot check if it actually handles the resource properly.

#### **Outermost transitions**

The  $\overrightarrow{out}$  rules **push** and **pop** are non-recursive definitions that only apply to the program as a whole and manipulate the stack level:

$$\frac{e \neq \varepsilon}{\langle p, n, e \rangle \xrightarrow{out} \langle bcast(p, e), n + 1, \varepsilon \rangle}$$
 (push)

$$\frac{n > 0 \quad p = @nop \lor isblocked(p, n)}{\langle p, n, \varepsilon \rangle \xrightarrow{out} \langle p, n - 1, \varepsilon \rangle}$$
 (pop)

Rule **push** matches whenever there is an emitted event in the input description, and instantly broadcasts the event to the program, which means (a) awaking active await<sub>ext</sub> or await<sub>int</sub> expressions altogether (see function *bcast* in Figure 4), (b) creating a nested reaction by increasing the stack level, and, at the same time, and (c) consuming the event (e becomes  $\varepsilon$ ). Rule **push** is the only rule in the semantics that matches an emitted event and also immediately consumes it.

Rule **pop** only decreases the stack level, not affecting the program, and only applies if the program is blocked (see function *isblocked* in Figure 4). This condition ensures that an  $\mathsf{emit}_{int}$  only resumes after its internal reaction completes and blocks, as discussed in Section 2.1.

At the beginning of the reaction, an external event is emitted, which will trigger rule **push**, which will immediately raise the stack level to 1. At the end of the reaction, the program will block or terminate and successive applications of rule **pop** will eventually lead to a description containing this same program at stack level 0. (Rule **pop** is the only rule that decreases the stack level.)

#### **Nested transitions**

The  $\xrightarrow{nst}$  rules are recursive definitions with the following general format:

$$\langle p, n, \varepsilon \rangle \xrightarrow{nst} \langle p', n, e \rangle$$
.

Nested transitions do not affect the stack level and never have an emitted event as a precondition. The distinction between  $\overrightarrow{out}$  and  $\overrightarrow{nst}$  prevents rules **push** and **pop** from matching and, consequently, from inadvertently modifying the current stack level before the nested reaction is complete.

A complete reaction consists of the following series of transitions:

$$\langle p, 0, e_{ext} \rangle \xrightarrow{push} \langle p_1, 1, \varepsilon \rangle \left[ \xrightarrow{*} \xrightarrow{out} \right] * \xrightarrow{*} \xrightarrow{pop} \langle p', 0, \varepsilon \rangle.$$

First, a  $\frac{push}{out}$  starts a nested reaction at level 1. Then, a series of alternations between zero or more  $\xrightarrow{nst}$  transitions (nested reactions) and a single  $\xrightarrow{out}$  transition (stack operation) takes place. Finally, a last  $\frac{pop}{out}$  transition decrements the stack level to 0 and terminates the reaction.

The  $\xrightarrow{nst}$  transition rules for atomic expressions are defined as follows:

$$\langle \mathsf{mem}(id), n, \varepsilon \rangle \xrightarrow[nst]{} \langle \mathsf{@nop}, n, \varepsilon \rangle \qquad \qquad \mathbf{(mem)}$$
 
$$\langle \mathsf{emit}_{int}(id), n, \varepsilon \rangle \xrightarrow[nst]{} \langle \mathsf{@canrun}(n), n, id \rangle \qquad \mathbf{(emit\text{-int})}$$

$$\langle \text{@canrun}(n), n, \varepsilon \rangle \xrightarrow{nst} \langle \text{@nop}, n, \varepsilon \rangle$$
 (can-run)

A mem operation becomes a @nop which indicates the memory access (rule **mem**). An emit<sub>int</sub>(id) generates an event id and transits to a @canrun(n) which can only resume at level n (rule **emit-int**). Since all  $\frac{1}{nst}$  rules can only transit with  $e = \varepsilon$ , an emit<sub>int</sub> causes rule **push** to execute at the outer level, creating a new level n + 1 on the stack. Also, with the new stack level, the resulting @canrun(n) itself cannot transit (rule **can-run**), providing the desired stack-based semantics for internal events.

Proceeding to compound expressions, the rules for conditionals and sequences are straightforward:

$$\frac{eval(\mathsf{mem}(id))}{\langle \mathsf{if}\,\mathsf{mem}(id)\,\mathsf{then}\,p\,\mathsf{else}\,q,n,\varepsilon\rangle\xrightarrow{\mathit{nst}}\langle p,n,\varepsilon\rangle} \qquad (\mathbf{if\text{-true}})$$

$$\frac{\neg \ eval(\mathsf{mem}(id))}{\langle \mathsf{if} \ \mathsf{mem}(id) \ \mathsf{then} \ p \ \mathsf{else} \ q, n, \varepsilon \rangle \xrightarrow[nst]{} \langle q, n, \varepsilon \rangle} \quad \ (\mathsf{if-false})$$

$$\frac{\langle p, n, \varepsilon \rangle \xrightarrow{nst} \langle p', n, e \rangle}{\langle p; q, n, \varepsilon \rangle \xrightarrow{nst} \langle p'; q, n, e \rangle}$$
 (seq-adv)

$$\langle \text{@nop}; q, n, \varepsilon \rangle \xrightarrow{nst} \langle q, n, \varepsilon \rangle$$
 (seq-nop)

$$\langle \text{break}; q, n, \varepsilon \rangle \xrightarrow{nst} \langle \text{break}, n, \varepsilon \rangle$$
 (seq-brk)

Given that our semantics focuses on control, rules **if-true** and **if-false** are the only to query mem expressions. Function *eval* evaluates a given mem expression.

The rules for loops are analogous to sequences, but use "@" as separators to properly bind breaks to their enclosing loops:

$$\langle \text{loop } p, n, \varepsilon \rangle \xrightarrow{nst} \langle p \otimes \text{loop } p, n, \varepsilon \rangle$$
 (**loop-expd**)

$$\frac{\langle q, n, \varepsilon \rangle \xrightarrow{nst} \langle q', n, e \rangle}{\langle q \text{ @loop } p, n, \varepsilon \rangle \xrightarrow{nst} \langle q' \text{ @loop } p, n, e \rangle}$$
 (loop-adv

$$\langle \text{enop eloop } p, n, \varepsilon \rangle \xrightarrow{\text{nst}} \langle \text{loop } p, n, \varepsilon \rangle$$
 (loop-nop)

$$\langle \text{break @loop } p, n, \varepsilon \rangle \xrightarrow{nst} \langle \text{@nop}, n, \varepsilon \rangle$$
 (loop-brk)

When a program encounters a loop, it first expands its body in sequence with itself (rule loop-expd). Rules loop-adv and loop-nop are similar to rules seq-adv and seq-nop, advancing the loop until a @nop is reached. However, what follows the loop is the loop itself (rule loop-nop). Note that if we used ";" as a separator in loops, rules loop-brk and seq-brk would conflict. Rule loop-brk escapes the enclosing loop, transforming everything into a @nop.

The semantic rules for and and or compositions force transitions on their left branches p to occur before their

right branches q:

 $\langle p \text{ and } q, n, \varepsilon \rangle \xrightarrow{nst} \langle p \text{ Qand (Qcanrun}(n); q), n, \varepsilon \rangle$  (and-expd)

$$\frac{\langle p, n, \varepsilon \rangle \xrightarrow{nst} \langle p', n, e \rangle}{\langle p \text{ eand } q, n, \varepsilon \rangle \xrightarrow{nst} \langle p' \text{ eand } q, n, e \rangle}$$
 (and-adv1)

$$\frac{isblocked(p,n) \qquad \langle q,n,\varepsilon\rangle \xrightarrow{nst} \langle q',n,e\rangle}{\langle p \text{ Qand } q,n,\varepsilon\rangle \xrightarrow{nst} \langle p \text{ Qand } q',n,e\rangle}$$
 (and-adv2)

$$\langle p \text{ or } q, n, \varepsilon \rangle \xrightarrow[nst]{} \langle p \text{ @or } (\text{@canrun}(n); q), n, \varepsilon \rangle \quad \textbf{(or-expd)}$$

$$\frac{\langle p, n, \varepsilon \rangle \xrightarrow{nst} \langle p', n, e \rangle}{\langle p \text{ @or } q, n, \varepsilon \rangle \xrightarrow{nst} \langle p' \text{ @or } q, n, e \rangle}$$
 (or-adv1)

$$\frac{isblocked(p,n) \qquad \langle q,n,\varepsilon\rangle \xrightarrow{nst} \langle q',n,e\rangle}{\langle p \text{ @or } q,n,\varepsilon\rangle \xrightarrow{nst} \langle p \text{ @or } q',n,e\rangle} \qquad \text{(or-adv2)}$$

Rules **and-expd** and **or-expd** insert a @canrun(n) at the beginning of the right branch. This ensures that any emit<sub>int</sub> on the left branch, which transits to a @canrun(n), still resumes before the right branch starts. The deterministic behavior of the semantics relies on the *isblocked* predicate (see Figure 4) which appears in rules **and-adv2** and **or-adv2**. These rules require the left branch p to be blocked for the right branch to transition from q to q'.

In a parallel @and, if one of the sides terminates, the composition is simply substituted by the other side (rules **and-nop1** and **and-nop2** below). In a parallel @or, however, if one of the sides terminates, the whole composition terminates and function *clear* is used to properly finalize the aborted side (rules **or-nop1** and **or-nop2**).

(@nop @and 
$$q, n, \varepsilon$$
)  $\xrightarrow{nst}$   $\langle q, n, \varepsilon \rangle$  (and-nop1)

$$\frac{isblocked(p,n)}{\langle p \text{ @and @nop}, n, \varepsilon \rangle \xrightarrow{nst} \langle p, n, \varepsilon \rangle}$$
 (and-nop2)

$$\langle \text{enop @or } q, n, \varepsilon \rangle \xrightarrow{nst} \langle clear(q), n, \varepsilon \rangle$$
 (or-nop1)

$$\frac{isblocked(p,n)}{\langle p \; @ \text{or} \; @ \text{nop}, n, \varepsilon \rangle \xrightarrow{nst} \langle clear(p), n, \varepsilon \rangle} \qquad \qquad (\text{or-nop2})$$

The clear function (see Figure 4) concatenates all active fin bodies of the side being aborted, so that they execute before the composition rejoins. Note that there are no transition rules for fin expressions. This is because once reached, a fin expression halts and will only execute when it is aborted by a parallel trail and is expanded by the clear function. Note also that there is a syntactic restriction that postulates that fin bodies cannot contain awaiting expressions (await $_{ext}$ , await $_{int}$ , every, or fin), i.e., the result of a clear call is guaranteed to execute entirely within a reaction.

Finally, a break in one of the sides in parallel escapes the closest enclosing loop, properly aborting the other side by

applying the *clear* function:

$$\langle \text{break @and } q, n, \varepsilon \rangle \xrightarrow{nst} \langle clear(q); \text{break}, n, \varepsilon \rangle$$
 (and-brk1)

$$\frac{isblocked(p,n)}{\langle p \text{ @and break}, n, \varepsilon \rangle \xrightarrow[nst]{} \langle clear(p); \text{break}, n, \varepsilon \rangle} \ \ (\text{and-brk2})$$

$$\langle \text{break @or } q, n, \varepsilon \rangle \xrightarrow{nst} \langle clear(q); \text{break}, n, \varepsilon \rangle$$
 (or-brk1)

$$\frac{isblocked(p,n)}{\langle p \text{ @or break}, n, \varepsilon \rangle \xrightarrow{nst} \langle clear(p); \text{break}, n, \varepsilon \rangle} \quad \textbf{(or-brk2)}$$

A reaction eventually blocks in await<sub>ext</sub>, await<sub>int</sub>, every, fin, and @canrun expressions in parallel trails. If no trails are blocked in @canrun expressions, it means that the program cannot advance in the current reaction. However, @canrun expressions can still resume in lower stack indexes and will eventually resume in the current reaction (see rule **pop**).

# 3.3 Determinism, Termination, and Memory Bounds

- informal discussion

#### **Determinism**

The proof for determinism relies on the fact all semantic rules are mutually exclusive, i.e., their preconditions are unique in the set of rules. This can be verified by direct inspection of rules.

Rule **push** is the only one with  $e \neq \epsilon$  as a precondition, and is trivially mutually exclusive with all other rules.

Rule **pop** either has p = @nop or isblocked(n, p) as preconditions. Note that rule **pop** only applies syntactically to top-level transitions. For instance, it can never match  $\longrightarrow$ rules for subprograms as in rule seq-adv. Hence, for the first case, rule **pop** only applies, and is the only one to apply, to nop as the whole program (i.e., a nop not surrounded by other expressions, such as in rule seq-nop). For the second case, we need to show that given  $\langle p, n, \epsilon \rangle$ , no  $\xrightarrow{nst}$  transitions apply with isblocked(n, p) and vice versa. Except for @canrun, there are no  $\xrightarrow{nst}$  transitions for the other blocking expressions (awaitExt, awaitInt, every, and fin). However, considering the precondition  $\langle p, n, \epsilon \rangle$ , *isblocked*(n, @canrun(n))is false. Hence, given the preconditions for rule **pop**, no  $\xrightarrow{nst}$ transitions can occur. Conversely, if a  $\xrightarrow{nst}$  transition is possible, then isblocked(n, p) must be false. Again, except for @canrun, all other transitions do not involve blocking expressions, hence, for these transitions, isblocked(n, p) must be false. For rule canrun, a transition can only occur if the current stack level matches @canrun(n). In this case, isblocked(n,@canrun(n)) is false.

Finally, we need to show that  $\longrightarrow_{nst}$  transitions are mutually exclusive among themselves. Note that most rules have unique syntactic prefixes, e.g., (@nop @and q) (rule and-nop1) is trivially mutually exclusive with (@nop @loop p)

```
771
                                  (i) Function bcast:
772
                bcast(await_{ext}(e), e) = @nop
773
                bcast(await_{int}(e), e) = @nop
774
                  bcast(every e p, e) = p; every e p
775
                bcast(@canrun(n), e) = @canrun(n)
776
                       bcast(fin p, e) = fin p
777
                           bcast(p; q) = bcast(p, e); q
778
                  bcast(p@loop q, e) = bcast(p, e)@loop q
                   bcast(p \ Qand \ q, e) = bcast(p, e) \ Qand \ bcast(q, e)
780
                     bcast(p @ or q, e) = bcast(p, e) @ or bcast(q, e)
781
                           bcast(\_, e) = \bot (mem, emit<sub>int</sub>, break,
782
                                          if then else, loop, and, or, @nop)
783
                               (ii) Predicate isblocked:
784
            isblocked(await_{ext}(e), n) = true
785
            isblocked(await_{int}(e), n) = true
786
              isblocked(every e p, n) = true
787
           isblocked(@canrun(m), n) = (n > m)
788
                   isblocked(fin p, n) = true
789
                    isblocked(p; q, n) = isblocked(p, n)
790
              isblocked(p@loop q, n) = isblocked(p, n)
791
               isblocked(p @and q, n) = isblocked(p, n) \land isblocked(q, n)
792
                isblocked(p @ or q, n) = isblocked(p, n) \land isblocked(q, n)
793
                       isblocked(\_, n) = false (mem, emit_{int}, break,
794
                                         if then else, loop, and, or, @nop)
795
                                 (iii) Function clear:
                   clear(await_{ext}(e)) = @nop
797
                   clear(await_{int}(e)) = @nop
798
                     clear(every e p) = @nop
799
                   clear(@canrun(n)) = @nop
800
                          clear(fin p) = p
801
                           clear(p; q) = clear(p)
802
                     clear(p@loop q) = clear(p)
803
                      clear(p @and q) = clear(p); clear(q)
804
                        clear(p @ or q) = clear(p); clear(q)
805
                              clear(\_) = \bot \text{ (mem, emit}_{int}, \text{break,}
806
                                         if then else, loop, and, or, @nop)
807
808
```

**Figure 4.** (i) Function bcast awakes awaiting trails matching the event by converting await<sub>ext</sub> and await<sub>int</sub> to @nop expressions, and by unwinding every expressions. (ii) Predicate isblocked is true only if all branches in parallel are blocked waiting for events, for finalization clauses, or for certain stack levels. (iii) Function clear extracts fin expressions in parallel and put their bodies in sequence.

(rule **or-nop1**). The only exceptions are rules **and-adv1** vs. **and-adv2**, and **or-adv1** vs. **or-adv2**. In both cases, we need to show that if the left branch can advance, then it cannot be blocked and vice-versa, i.e., that  $\langle p, n, \epsilon \rangle \xrightarrow{nst} \langle p', n, e \rangle$  and isblocked(n, p) are mutually exclusive, which is exactly the same reasoning for rule **pop** above.

#### Termination

there is always a possible transition until n=0
 every cannot restart itself - break disallowed - emit ignored

## **Memory Bounds**

 program is finite - lexical scope - no heap allocation - no code reentrancy - reexecution only due to loops - loop reuse nested vars -

### 4 Related Work

CÉU was strongly influenced by Esterel but they differ in the most fundamental aspect of the notion of time [21]. Esterel defines time as a discrete sequence of logical unit instants or "ticks". At each tick, the program reacts to an arbitrary number of simultaneous input events from the environment. The presence of multiple inputs requires careful static analysis to detect and reject programs with *causality cycles* and *schizophrenia problems* [5, 8, 12, 23–26, 30]. In contrast, CÉU defines time as a discrete sequence of reactions to unique input events. In the formal semantics, ...

## Francisco: como isso aparece na semantica

... Céu also rejects some syntactically correct programs to avoid infinite execution, but with simple restrictions in the abstract syntax tree.

Another distinction is that, in Esterel, the behavior of internal and external events is equivalent, while in Céu internal events introduce stack-based micro reactions within external reactions, providing more fine-grained control for intra-reaction execution. In the formal semantics, ...

#### Francisco: como isso aparece na semantica

... Some variants of the Statecharts synchronous visual language also distinguish internal from external events [28]. In Statemate [14], "reactions to external and internal events (...) can be sensed only after completion of the step", implying queue-based execution. In Stateflow [13], "the receiving state (of the event) acts here as a function", which is similar to CÉU's stack-based execution. We are not aware of formalizations for these ideas for a deeper comparison with CÉU.

Like other synchronous languages (Reactive C [7], Protothreads [11], SOL [15], SC [29], and PRET-C [2]), CÉU relies on deterministic scheduling to preserve intra-reaction determinism. In addition, it also performs concurrency checks to detect trails that, when reordered, change the observable behavior of the program, i.e., trails that actually rely on deterministic scheduling [21]. Esterel is only deterministic with respect to external behavior: "the same sequence of inputs always produces the same sequence of outputs" [6]. However, the execution order for operations within a reaction is non-deterministic: "if there is no control dependency, as in (call f1() || call f2()), the order is unspecified and it would be an error to rely on it" [6]. For this reason, Esterel, does not support shared-memory concurrency: "if a variable

882

883

884

886

887

888

889

890

891

892

893

894

895

896

897

898

899

900

901

902

903

904

905

906

907

909

910

911

912

913

914

915

916

917

918

919

920

921

922

923

924

925

926

927

928

929

930

931

932

933

934

935

936

937

938

939

941

942

943

945

946

947

948

949

950

951

952

953

954

955

956

957

958

959

960

961

962

963

964

965

966

967

968

969

970

971

972

973

975

976

977

978

979

980

981

982

983

984

985

986

987

988

989

990

is written by some thread, then it can neither be read nor be written by concurrent threads" [6].

Esterel describes a finalization mechanism in a standardization proposal [27] that is similar to CÉU's. However, we are not aware of an open implementation or a formal semantics for a deeper comparison.

Francisco: outras linguagens sincronas

Francisco: outras linguagens deterministicas

Francisco: outras linguagens com terminacao

# 5 Conclusion

Francisco: TODO

## References

- A. Adya et al. 2002. Cooperative Task Management Without Manual Stack Management. In *Proceedings of ATEC'02*. USENIX Association, 289–302.
- [2] Sidharta Andalam, Partha Roop, and Alain Girault. 2010. Predictable multithreading of embedded applications using PRET-C. In *Proceeding* of MEMOCODE'10. IEEE, 159–168.
- [3] Albert Benveniste, Paul Caspi, Stephen A. Edwards, Nicolas Halbwachs, Paul Le Guernic, and Robert De Simone. 2003. The synchronous languages twelve years later. In *Proceedings of the IEEE*, Vol. 91. 64–83.
- [4] Gérard Berry. 1993. Preemption in Concurrent Systems.. In FSTTCS (LNCS), Vol. 761. Springer, 72–93.
- [5] Gérard Berry. 1999. The Constructive Semantics of Pure Esterel (draft version 3). Ecole des Mines de Paris and INRIA.
- [6] Gérard Berry. 2000. The Esterel-V5 Language Primer. CMA and Inria, Sophia-Antipolis, France. Version 5.10, Release 2.0.
- [7] Frédéric Boussinot. 1991. Reactive C: An extension of C to program reactive systems. Software: Practice and Experience 21, 4 (1991), 401– 428
- [8] Frédéric Boussinot. 1998. SugarCubes implementation of causality. (1998).
- [9] Frédéric Boussinot and Robert De Simone. 1991. The Esterel language. Proc. IEEE 79, 9 (Sep 1991), 1293–1304.
- [10] Robert de Simone, Jean-Pierre Talpin, and Dumitru Potop-Butucaru. 2005. The Synchronous Hypothesis and Synchronous Languages. In Embedded Systems Handbook, R. Zurawski (Ed.).
- [11] Adam Dunkels, Oliver Schmidt, Thiemo Voigt, and Muneeb Ali. 2006. Protothreads: simplifying event-driven programming of memory-constrained embedded systems. In *Proceedings of SenSys'06*. ACM, 29–42
- [12] Stephen A. Edwards. 2005. Using and Compiling Esterel. MEM-OCODE'05 Tutorial. (July 2005).
- [13] Grégoire Hamon and John Rushby. 2007. An operational semantics for Stateflow. *International Journal on Software Tools for Technology Transfer* 9, 5-6 (2007), 447–456.
- [14] David Harel and Amnon Naamad. 1996. The STATEMATE semantics of statecharts. ACM Transactions on Software Engineering and Methodology 5, 4 (1996), 293–333.
- [15] Marcin Karpinski and Vinny Cahill. 2007. High-Level Application Development is Realistic for Wireless Sensor Networks. In *Proceedings* of SECON'07. 610–619.
- [16] Ingo Maier, Tiark Rompf, and Martin Odersky. 2010. Deprecating the observer pattern. Technical Report.
- [17] ORACLE. 2011. Java Thread Primitive Deprecation. http://docs.oracle.com/javase/6/docs/technotes/guides/concurrency/threadPrimitiveDeprecation.html (accessed in Aug-2014). (2011).

- [18] Guido Salvaneschi et al. 2014. REScala: Bridging between objectoriented and functional style in reactive applications. In *Proceedings* of Modularity'13. ACM, 25–36.
- [19] Francisco Sant'anna, Roberto Ierusalimschy, Noemi Rodriguez, Silvana Rossetto, and Adriano Branco. 2017. The Design and Implementation of the Synchronous Language CÉU. ACM Trans. Embed. Comput. Syst. 16, 4, Article 98 (July 2017), 26 pages. https://doi.org/10.1145/3035544
- [20] Francisco Sant'Anna, Noemi Rodriguez, and Roberto Ierusalimschy. 2015. Structured Synchronous Reactive Programming with Céu. In Proceedings of Modularity'15.
- [21] Francisco Sant'Anna, Noemi Rodriguez, Roberto Ierusalimschy, Olaf Landsiedel, and Philippas Tsigas. 2013. Safe System-level Concurrency on Resource-Constrained Nodes. In *Proceedings of SenSys'13*. ACM.
- [22] Rodrigo Santos, Guilherme Lima, Francisco Sant'Anna, and Noemi Rodriguez. 2016. Céu-Media: Local Inter-Media Synchronization Using Céu. In *Proceedings of WebMedia* '16. ACM, New York, NY, USA, 143– 150. https://doi.org/10.1145/2976796.2976856
- [23] Klaus Schneider and Michael Wenz. 2001. A new method for compiling schizophrenic synchronous programs. In *Proceedings of CASES'01*. ACM, 49–58.
- [24] Ellen M Sentovich. 1997. Quick conservative causality analysis. In System Synthesis, 1997. Proceedings., Tenth International Symposium on. IEEE. 2–8.
- [25] Thomas R Shiple, Gerard Berry, and Hemé Touati. 1996. Constructive analysis of cyclic circuits. In European Design and Test Conference, 1996. ED&TC 96. Proceedings. IEEE, 328–333.
- [26] Olivier Tardieu and Robert De Simone. 2004. Curing schizophrenia by program rewriting in Esterel. In *Proceedings of MEMOCODE'04*. IEEE, 39–48.
- [27] Esterel Technologies. 2005. The Esterel v7 Reference Manual. Initial IEEE standardization proposal.
- [28] Michael von der Beeck. 1994. A comparison of statecharts variants. In Proceedings of FTRTFT'94. Springer, 128–148.
- [29] Reinhard von Hanxleden. 2009. SyncCharts in C: a proposal for lightweight, deterministic concurrency. In *Proceedings EMSOFT'09*. ACM, 225–234.
- [30] Jeong-Han Yun, Chul-Joo Kim, Seonggun Kim, Kwang-Moo Choe, and Taisook Han. 2013. Detection of harmful schizophrenic statements in Esterel. ACM Transactions on Embedded Computing Systems (TECS) 12, 3 (2013), 80.

# A Proofs

## Determinism

**Lemma A.1.** If  $\delta \xrightarrow{out} \delta_1$  and  $\delta \xrightarrow{out} \delta_2$  then  $\delta_1 = \delta_2$ .

*Proof.* The lemma is vacuously true if  $\delta$  cannot be advanced by  $\frac{1}{out}$  transitions. Suppose that is not the case and let  $\delta = \langle p, n, e \rangle$ ,  $\delta_1 = \langle p_1, n_1, e_1 \rangle$  and  $\delta_2 = \langle p_2, n_2, e_2 \rangle$ . Then, there are two possibilities.

Case 1.  $e \neq \varepsilon$ . Both transitions are applications of **push**. Hence  $p_1 = p_2 = bcast(p, e)$ ,  $n_1 = n_2 = n + 1$ , and  $e_1 = e_2 = \varepsilon$ .

*Case* 2.  $e = \varepsilon$ . Both transitions are applications of **pop**. Hence  $p_1 = p_2 = p$ ,  $n_1 = n_2 = n - 1$ , and  $e_1 = e_2 = \varepsilon$ .

**Theorem A.2.** If  $\delta \xrightarrow[out]{n} \delta_1$  and  $\delta \xrightarrow[out]{n} \delta_2$  then  $\delta_1 = \delta_2$ .

*Proof.* By induction on n. The theorem is trivially true for n=0 and follows directly from Lemma A.1 for n=1. (The theorem is vacuously true for  $\frac{push}{out}$  transitions if n>1 since, by definition,  $\frac{push}{out}$  transitions cannot be applied more than

 once in a row and cannot occur after a  $\frac{pop}{out}$  transition.) Suppose  $\delta \xrightarrow[]{0}{ut} \delta'_1 \xrightarrow[]{n-1} \delta_1$  and  $\delta \xrightarrow[]{1}{ut} \delta'_2 \xrightarrow[]{n-1} \delta_2$ , for some n > 1 and  $\delta'_1, \delta'_2 \in \Delta$ . By Lemma A.1,  $\delta'_1 = \delta'_2$ . By the induction hypothesis,  $\delta_1 = \delta_2$ .

**Lemma A.3.** If  $\delta \xrightarrow{nst} \delta_1$  and  $\delta \xrightarrow{nst} \delta_2$  then  $\delta_1 = \delta_2$ .

*Proof.* By induction on the structure of  $\xrightarrow{nst}$  derivations. The lemma is vacuously true if  $\delta$  cannot be advanced by  $\xrightarrow{nst}$  transitions. Suppose that is not the case and let  $\delta = \langle p, n, e \rangle$ ,  $\delta_1 = \langle p_1, n_1, e_1 \rangle$  and  $\delta_2 = \langle p_2, n_2, e_2 \rangle$ . Then, by the hypothesis of the lemma, there are derivations  $\pi_1$  and  $\pi_2$  such that

$$\pi_1 \Vdash \langle p, n, e \rangle \xrightarrow{nst} \langle p_1, n_1, e_1 \rangle$$
  
 $\pi_2 \Vdash \langle p, n, e \rangle \xrightarrow{nst} \langle p_2, n_2, e_2 \rangle$ 

i.e., the conclusion of  $\pi_1$  is  $\langle p, n, e \rangle \xrightarrow{nst} \langle p_1, n_1, e_1 \rangle$  and the conclusion of  $\pi_2$  is  $\langle p, n, e \rangle \xrightarrow{nst} \langle p_2, n_2, e_2 \rangle$ .

By definition of  $\xrightarrow{nst}$ , we have that  $e = \varepsilon$  and  $n_1 = n_2 = n$ . It remains to be shown that  $p_1 = p_2$  and  $e_1 = e_2$ .

Depending on the structure of program p, the following 11 cases are possible. (Note that p cannot be an await<sub>ext</sub>, await<sub>int</sub>, break, every, fin, or @nop expression as there are no  $\frac{1}{nst}$  rules to transition such programs.)

Case 1. p = mem(id). Then derivations  $\pi_1$  and  $\pi_2$  are instances of rule **mem**, i.e., their conclusions are obtained by an application of this rule. Hence  $p_1 = p_2 = \text{@nop}$  and  $e_1 = e_2 = \varepsilon$ .

Case 2.  $p = \text{emit}_{int}(e')$ . Then  $\pi_1$  and  $\pi_2$  are instances of **emitint**. Hence  $p_1 = p_2 = \text{@canrun}(n)$  and  $e_1 = e_2 = e'$ .

Case 3.  $p = \operatorname{Qcanrun}(n)$ . Then  $\pi_1$  and  $\pi_2$  are instances of **canrun**. Hence  $p_1 = p_2 = \operatorname{Qnop}$  and  $e_1 = e_2 = \varepsilon$ .

Case 4. p = if mem(id) then p' else p''. There are two subcases.

Case 4.1. eval(mem(id)) is true. Then  $\pi_1$  and  $\pi_2$  are instances of **if-true**. Hence  $p_1 = p_2 = p'$  and  $e_1 = e_2 = \varepsilon$ .

Case 4.2. eval(mem(id)) is false. Then  $\pi_1$  and  $\pi_2$  are instances of **if-false**. Hence  $p_1 = p_2 = p''$  and  $e_1 = e_2 = \varepsilon$ .

Case 5. p = p'; p''. There are three subcases.

Case 5.1. p' = @nop. Then  $\pi_1$  and  $\pi_2$  are instances of **seqnop.** Hence  $p_1 = p_2 = p''$  and  $e_1 = e_2 = \varepsilon$ .

*Case* 5.2. p' = break. Then  $\pi_1$  and  $\pi_2$  are instances of **seq-brk**. Hence  $p_1 = p_2 = \text{break}$  and  $e_1 = e_2 = \varepsilon$ .

Case 5.3.  $p' \neq @nop$ , break. Then  $\pi_1$  and  $\pi_2$  are instances of **seq-adv**. Thus there are derivations  $\pi'_1$  and  $\pi'_2$  such that

$$\pi'_1 \Vdash \langle p', n, \varepsilon \rangle \xrightarrow{nst} \langle p'_1, n, e'_1 \rangle$$
  
$$\pi'_2 \Vdash \langle p', n, \varepsilon \rangle \xrightarrow{nst} \langle p'_2, n, e'_2 \rangle$$

for some  $p_1', p_2' \in P$  and  $e_1', e_2' \in E$ . By the induction hypothesis,  $p_1' = p_2'$  and  $e_1' = e_2'$ . Hence  $p_1 = p_1'; p'' = p_2'; p'' = p_2$  and  $e_1 = e_1' = e_2' = e_2$ .

Case 6. p = loop p'. Then  $\pi_1$  and  $\pi_2$  are instances of **loop-expd**. Hence  $p_1 = p_2 = p'$  @loop p' and  $e_1 = e_2 = \varepsilon$ .

Case 7. p = p' @loop p''. There are three subcases.

Case 7.1. p' = @nop. Then  $\pi_1$  and  $\pi_2$  are instances of **loop-nop**. Hence  $p_1 = p_2 = \text{loop } p''$  and  $e_1 = e_2 = \varepsilon$ .

Case 7.2. p' = break. Then  $\pi_1$  and  $\pi_2$  are instances of **loop-break**. Hence  $p_1 = p_2 = \text{@nop}$  and  $e_1 = e_2 = \varepsilon$ .

Case 7.3.  $p' \neq @nop$ , break. Then  $\pi_1$  and  $\pi_2$  are instances of **loop-adv**. Thus there are derivations  $\pi'_1$  and  $\pi'_2$  such that

$$\begin{split} \pi_1' &\Vdash \langle p', n, \varepsilon \rangle \xrightarrow[nst]{} \langle p_1', n, e_1' \rangle \\ \pi_2' &\Vdash \langle p', n, \varepsilon \rangle \xrightarrow[nst]{} \langle p_2', n, e_2' \rangle \end{split}$$

for some  $p_1', p_2' \in P$  and  $e_1', e_2' \in E$ . By the induction hypothesis,  $p_1' = p_2'$  and  $e_1' = e_2'$ . Hence  $p_1 = p_1'$  @loop  $p'' = p_2'$  @loop  $p'' = p_2$  and  $e_1 = e_1' = e_2' = e_2$ .

Case 8. p = p' and p''. Then  $\pi_1$  and  $\pi_2$  are instances of **and-expd**. Hence  $p_1 = p_2 = p'$  @and (@canrun(n); p'') and  $e_1 = e_2 = \varepsilon$ .

Case 9. p = p' @and p''. There are two subcases.

Case 9.1. isblocked(p', n) is false. There are three subcases.

Case 9.1.1. p' = @nop. Then  $\pi_1$  and  $\pi_2$  are instances of **and-nop1**. Hence  $p_1 = p_2 = p''$  and  $e_1 = e_2 \varepsilon$ .

*Case* 9.1.2. p' = break. Then  $\pi_1$  and  $\pi_2$  are instances of **and-brk1**. Hence  $p_1 = p_2 = clear(p'')$ ; break and  $e_1 = e_2 \varepsilon$ .

Case 9.1.3.  $p' \neq \text{@nop}$ , break. Then  $\pi_1$  and  $\pi_2$  are instances of **and-adv1**. Thus there are derivations  $\pi'_1$  and  $\pi'_2$  such that

$$\pi'_1 \Vdash \langle p', n, \varepsilon \rangle \xrightarrow{nst} \langle p'_1, n, e'_1 \rangle$$
  
$$\pi'_2 \Vdash \langle p', n, \varepsilon \rangle \xrightarrow{nst} \langle p'_2, n, e'_2 \rangle$$

for some  $p_1', p_2' \in P$  and  $e_1', e_2' \in E$ . By the induction hypothesis,  $p_1' = p_2'$  and  $e_1' = e_2'$ . Hence  $p_1 = p_1'$  and  $p'' = p_2'$  and  $p'' = p_2$  and  $e_1 = e_1' = e_2' = e_2$ .

Case 9.2. isblocked(p', n) is true. There are three subcases.

Case 9.2.1. p'' = @nop. Then  $\pi_1$  and  $\pi_2$  are instances of **and-nop2**. Hence  $p_1 = p_2 = p'$  and  $e_1 = e_2 \varepsilon$ .

Case 9.2.2. p'' = break. Then  $\pi_1$  and  $\pi_2$  are instances of **and-brk2**. Hence  $p_1 = p_2 = clear(p')$ ; break and  $e_1 = e_2 = \varepsilon$ .

Case 9.2.3.  $p'' \neq \text{@nop}$ , break. Then  $\pi_1$  and  $\pi_2$  are instances of **and-adv2**. Thus there are derivations  $\pi_1''$  and  $\pi_2''$  such that

$$\pi_{1}^{"} \Vdash \langle p^{"}, n, \varepsilon \rangle \xrightarrow{nst} \langle p_{1}^{"}, n, e_{1}^{"} \rangle$$
$$\pi_{2}^{"} \Vdash \langle p^{"}, n, \varepsilon \rangle \xrightarrow{nst} \langle p_{2}^{"}, n, e_{2}^{"} \rangle$$

for some  $p_1'', p_2'' \in P$  and  $e_1'', e_2'' \in E$ . By the induction hypothesis,  $p_1'' = p_2''$  and  $e_1'' = e_2''$ . Hence  $p_1 = p'$  and  $p_1'' = p'$  and  $p_2'' = p_2$  and  $e_1 = e_1'' = e_2'' = e_2$ .

Case 10. p = p' or p''. Then  $\pi_1$  and  $\pi_2$  are instances of **orexpd**. Hence  $p_1 = p_2 = p'$  @or (@canrun(n); p'') and  $e_1 = p'$ 

Case 11. p = p' @or p''. There are two subcases.

Case 11.1. isblocked(p', n) is false. There are three subcases.

Case 11.1.1.  $p' = \text{@nop. Then } \pi_1 \text{ and } \pi_2 \text{ are instances}$ of **or-nop1**. Hence  $p_1 = p_2 = clear(p'')$  and  $e_1 = e_2 = \varepsilon$ .

Case 11.1.2. p' = break. Similar to Case 9.1.2.

Case 11.1.3.  $p' \neq @nop$ , break. Similar to Case 9.1.3.

Case 11.2. isblocked(p', n) is true. There are three sub-

Case 11.2.1. p'' = @nop. Then  $\pi_1$  and  $\pi_2$  are instances of **or-nop1**. Hence  $p_1 = p_2 = clear(p')$  and  $e_1 = e_2 = \varepsilon$ .

Case 11.2.2. p'' = break. Similar to Case 9.2.2.

Case 11.2.3.  $p'' \neq @nop, break$ . Similar to Case 9.2.3.

**Theorem A.4.** If  $\delta \xrightarrow[nst]{n} \delta_1$  and  $\delta \xrightarrow[nst]{n} \delta_2$  then  $\delta_1 = \delta_2$ .

*Proof.* Similar to the proof of Theorem A.2. 

# **Termination**

**Definition A.5.** A description  $\delta = \langle p, n, e \rangle$  is nested-irreducible iff  $e \neq \varepsilon$  or p = @nop, break or isblocked(p, n) istrue. Nested-irreducible descriptions serve as normal forms for  $\xrightarrow{nst}$  transitions: they embody the result of an exhaustive number of  $\xrightarrow{nst}$  applications. We will write  $\delta_{\#nst}$  to indicate that description  $\delta$  is nested-irreducible.

The next lemma justifies the use of qualifier "irreducible" in Definition A.5.

**Lemma A.6.** If  $\delta \xrightarrow[nst]{n} \delta'_{\# nst}$  then, for all  $i \neq n$ , there is no  $\delta''_{\# nst}$  such that  $\delta \xrightarrow[nst]{i} \delta''_{\# nst}$ .

*Proof.* By contradiction on the hypothesis that there is such *i*. Let  $\delta \xrightarrow{n} \delta'_{\#nst}$ , for some  $n \ge 0$ . There are two cases.

Case 1. Suppose there are i > n and  $\delta''_{\#nst}$  such that  $\delta \xrightarrow[nst]{i} \delta''$ . Then, by definition of  $\frac{i}{nst}$ ,

$$\delta \xrightarrow{n \atop nst} \delta' \xrightarrow{n+1 \atop nst} \delta'_1 \xrightarrow{n+2 \atop nst} \cdots \xrightarrow{i \atop nst} \delta''$$
. (1)

Since  $\delta' = \langle p', n, e' \rangle$  is nested-irreducible,  $e' = \varepsilon$  or  $p = \varepsilon$ Qnop, break or isblocked(p', n). In any of these cases, by the definition of  $\frac{1}{nst}$ , there is no  $\delta'_1$  such that  $\delta' \xrightarrow{1} \delta'_1$ , which contradicts (1). Therefore, no such i can exist.

Case 2. Suppose there are i < n and  $\delta''_{\# nst}$  such that  $\delta \xrightarrow[nst]{i} \delta''$ . Then, since n > i, by Case 1,  $\delta'$  cannot exist, which is absurd. Therefore, the assumption that there is such *i* is false.

The next lemma establishes some basic properties of sequences of  $\xrightarrow{nst}$  transitions.

**Lemma A.7.** If  $\langle p_1, n, e \rangle \xrightarrow[nst]{n} \langle p'_1, n, e' \rangle$  then, for any  $p_2$ :

- (a)  $\langle p_1; p_2, n, e \rangle \frac{n}{nst} \langle p_1'; p_2, n, e' \rangle;$ (b)  $\langle p_1 \text{ @loop } p_2, n, e \rangle \frac{n}{nst} \langle p_1' \text{ @loop } p_2, n, e' \rangle;$ (c)  $\langle p_1 \text{ @and } p_2, n, e \rangle \frac{n}{nst} \langle p_1' \text{ @and } p_2, n, e' \rangle;$ (d)  $\langle p_1 \text{ @or } p_2, n, e \rangle \frac{n}{nst} \langle p_1' \text{ @or } p_2, n, e' \rangle.$

If  $\langle p_2, n, e \rangle \xrightarrow{n \atop nst} \langle p'_2, n, e' \rangle$ , for any  $p_1$  such that is blocked  $(p_1, n)$ :

- $\begin{array}{ll} \textit{(e)} \ \langle p_1 \ \mathsf{Qand} \ p_2, n, e \rangle \xrightarrow[nst]{nst} \langle p_1 \ \mathsf{Qand} \ p_2', n, e' \rangle; \\ \textit{(f)} \ \langle p_1 \ \mathsf{Qor} \ p_2, n, e \rangle \xrightarrow[nst]{nst} \langle p_1 \ \mathsf{Qor} \ p_2', n, e' \rangle. \end{array}$

*Proof.* By induction on *n*.

(a) The lemma is trivially true for n = 0, as  $p_1 = p'_1$ , and follows directly from **seq-adv** for n = 1. Suppose

$$\langle p_1, n, e \rangle \xrightarrow{1 \atop nst} \langle p_1'', n, e'' \rangle \xrightarrow{n-1 \atop nst} \langle p_1', n, e' \rangle$$
, (2)

for some n > 1. Then  $\langle p_1'', n, e'' \rangle$  is not nested-irreducible, i.e.,  $e = \varepsilon$  and  $p \neq @nop$ , break and  $isblocked(p''_1, n)$  is false. By (2) and by seq-adv,

$$\langle p_1; p_2, n, e \rangle \xrightarrow{1 \atop nst} \langle p_1''; p_2, n, e'' \rangle$$
. (3)

From (2), by the induction hypothesis,

$$\langle p_1^{\prime\prime}; p_2, n, e^{\prime\prime} \rangle \xrightarrow{n-1} \langle p_1^{\prime}; p_2, n, e^{\prime} \rangle$$
. (4)

From (3) and (4),

$$\langle p_1; p_2, n, e \rangle \xrightarrow{n \atop nst} \langle p'_1; p_2, n, e' \rangle$$
.

- (b) Similar to Case (a).
- (c) Similar to Case (a).
- (d) Similar to Case (a).
- (e) The lemma is trivially true for n = 0, as  $p_2 = p'_2$ , and follows directly from **and-adv2** for n = 1. Suppose

$$\langle p_2, n, e \rangle \xrightarrow{1 \atop nst} \langle p_2^{\prime\prime}, n, e^{\prime\prime} \rangle \xrightarrow{n-1 \atop nst} \langle p_2^{\prime}, n, e^{\prime} \rangle$$
, (5)

for some n > 1. Then  $\langle p_2'', n, e'' \rangle$  is not nested-irreducible. By (5) and by and-adv2,

$$\langle p_1 \text{ @and } p_2, n, e \rangle \xrightarrow{n_{st}} \langle p_1 \text{ @and } p_2'', n, e'' \rangle$$
. (6)

From (5), by the induction hypothesis,

$$\langle p_1 \text{ @and } p_2^{\prime\prime}, n, e^{\prime\prime} \rangle \xrightarrow{n-1 \atop nst} \langle p_1 \text{ @or } p_2^{\prime}, n, e^{\prime} \rangle$$
. (7)

From (6) and (7),

$$\langle p_1 \text{ @and } p_2, n, e \rangle \xrightarrow[n \text{ st}]{n} \langle p_1 \text{ @and } p_2', n, e' \rangle$$
.

(f) Similar to Case (e).

The syntactic restrictions discussed in Section ??, regarding the body of fin and loop expressions, are formalized by the following assumptions.

**Assumption A.8.** If  $\delta = \langle clear(p), n, \varepsilon \rangle$  then there is a description  $\delta' = \langle \text{enop}, n, \varepsilon \rangle$  such that  $\delta \xrightarrow[nst]{*} \delta'$ .

Assumption A.9. If  $\delta = \langle \log p, n, \varepsilon \rangle$  then there is a description  $\delta' = \langle p', n, e \rangle$  such that  $\delta \xrightarrow{*} \delta'$  where either  $p' = \frac{1}{2}$  break @loop p or  $isblocked_{ext}(p', n)$ .

**Theorem A.10.** For any  $\delta$  there is a  $\delta'_{\# nst}$  such that  $\delta \frac{*}{nst} \delta'_{\# nst}$ .

*Proof.* By induction on the structure of programs. Let  $\delta = \langle p, n, \varepsilon \rangle$ . The theorem is trivially true if  $\delta$  is nested-irreducible, as by definition  $\delta \xrightarrow{0} \delta_{\# nst}$ . Suppose that is not the case. Then, depending on the structure of p, there are 11 possibilities. In each one of them, we show that such  $\delta'_{\# nst}$  indeed exists.

Case 1. p = mem(id). Then, by **mem**,

$$\langle \mathsf{mem}(id), n, \varepsilon \rangle \xrightarrow[nst]{1} \langle \mathsf{@nop}, n, \varepsilon \rangle_{\#nst}$$
.

Case 2.  $p = emit_{int}(e)$ . Then, by **emit-int**,

$$\langle \text{emit}_{int}(e), n, \varepsilon \rangle \xrightarrow{1 \atop nst} \langle \text{@canrun}(n), n, e \rangle_{\#nst}$$
.

Case 3. p = @canrun(n). Then, by **can-run**,

$$\langle \mathbb{Q}canrun(n), n, \varepsilon \rangle \xrightarrow{nst} \langle \mathbb{Q}nop, n, \varepsilon \rangle_{\#nst}$$
.

Case 4. p = if mem(id) then p' else p''. There are two subcases.

Case 4.1. eval(mem(id)) is true. Then, by **if-true** and by the induction hypothesis, there is a  $\delta'$  such that

$$\langle \text{if mem}(id) \text{ then } p' \text{ else } p'', n, \varepsilon \rangle \xrightarrow[nst]{1} \langle p', n, e \rangle \xrightarrow{*}_{nst} \delta'_{\#nst}.$$

Case 4.2. eval(mem(id)) is false. Then, by **if-false** and by the induction hypothesis, there is a  $\delta'$  such that

$$\langle \texttt{if} \, \texttt{mem}(id) \, \texttt{then} \, p' \, \texttt{else} \, p'', n, \varepsilon \rangle \xrightarrow[nst]{1} \langle p'', n, e \rangle$$
 
$$\xrightarrow[nst]{*} \delta'_{\#nst} \, .$$

Case 5. p = p'; p''. There are three subcases.

Case 5.1. p' = @nop. Then, by **seq-nop** and by the induction hypothesis, there is a  $\delta'$  such that

$$\langle \text{@nop}; p'', n, \varepsilon \rangle \xrightarrow[nst]{1} \langle p'', n, e \rangle \xrightarrow[nst]{*} \delta'_{\# nst}$$
.

Case 5.2. p' = break. Then, by **seq-brk**,

$$\langle \text{break}; p'', n, \varepsilon \rangle \xrightarrow[nst]{1} \langle \text{break}, n, \varepsilon \rangle_{\#nst}.$$

Case 5.3.  $p' \neq @nop$ , break. Then, by the induction hypothesis, there are  $p'_1$  and e such that

$$\langle p', n, \varepsilon \rangle \xrightarrow{*} \langle p'_1, n, e \rangle_{\# nst}$$
.

By item (a) of Lemma A.7,

$$\langle p'; p'', n, \varepsilon \rangle \xrightarrow{*} \langle p_1'; p'', n, e \rangle$$
. (8)

It remains to be shown that  $\langle p_1'; p'', n, e \rangle$  is nested-irreducible. There are four possibilities following from the fact that the simpler  $\langle p_1', n, e \rangle$  is nested-irreducible.

Case 5.3.1.  $e \neq \varepsilon$ . Then, by the definition of #nst, description  $\langle p'_1; p'', n, e \rangle$  is nested-irreducible.

Case 5.3.2. 
$$p'_1 = \text{@nop. From (8)},$$

$$\langle p'; p'', n, \varepsilon \rangle \xrightarrow{*} \langle \text{@nop}; p'', n, e \rangle$$
.

From this point on, this case is similar to Case 5.1.

Case 5.3.3.  $p'_1 = \text{break. From (8)},$ 

$$\langle p'; p'', n, \varepsilon \rangle \xrightarrow[nst]{*} \langle \text{break}; p'', n, e \rangle$$
.

From this point on, this case is similar to Case 5.2.

Case 5.3.4.  $isblocked(p'_1, n)$  is true. Then, by definition,

$$isblocked(p'_1; p'', n) = isblocked(p'_1, n) = true.$$

Hence, from (8) and by the definition #nst, description  $\langle p'_1; p'', n, e \rangle$  is nested-irreducible.

Case 6. p = loop p'. Then, by Assumption A.9,

$$\langle \text{loop } p', n, \varepsilon \rangle \xrightarrow[nst]{*} \langle p'_1, n, e \rangle,$$
 (9)

for some e and  $p'_1$  such that either  $p'_1$  = break @loop p' or  $isblocked_{ext}(p'_1, n)$ .

Case 6.1.  $p'_1 = \text{break @loop } p'$ . From (9), by **loop-brk**,

$$\langle \text{loop } p', n, \varepsilon \rangle \xrightarrow[nst]{*} \langle \text{break @loop } p', n, e \rangle$$
  
 $\xrightarrow[nst]{} \langle \text{@nop, } n, e \rangle_{\#nst} .$ 

Case 6.2.  $isblocked_{ext}(p'_1, n)$  is true. Then, by definition,  $isblocked_{ext}(p'_1, n)$  implies  $isblocked(p'_1, n)$ . Hence, from (9) and by the definition of #nst,  $\langle p'_1, n, e \rangle_{\#nst}$ .

Case 7. p = p' @loop p''. There are three subcases.

Case 7.1. p' = @nop. Then, by **loop-nop**,

$$\langle \texttt{@nop\,@loop\,}p^{\prime\prime}, n, \varepsilon \rangle \xrightarrow[nst]{} \langle \texttt{loop\,}p^{\prime\prime}, n, \varepsilon \rangle \, .$$

From this point on, this case is similar to Case 6.

Case 7.2. p' = break. Then, by **loop-brk**,

$$\langle \operatorname{break} \operatorname{@loop} p^{\prime\prime}, n, \varepsilon \rangle \xrightarrow[nst]{1} \langle \operatorname{@nop}, n, \varepsilon \rangle_{\# nst} \; .$$

*Case* 7.3.  $p' \neq @nop$ , break. Then, by the induction hypothesis, there are  $p'_1$  and e such that

$$\langle p', n, \varepsilon \rangle \xrightarrow{*} \langle p'_1, n, e \rangle_{\#nst}$$
.

By item (b) of Lemma A.7,

$$\langle p' \operatorname{@loop} p'', n, \varepsilon \rangle \xrightarrow{*} \langle p'_1 \operatorname{@loop} p'', n, e \rangle.$$

It remains to be show that  $\langle p_1'@loop p'', n, e \rangle$  is nested-irreducible. The rest of this proof is similar to that of Case 5.3.

Case 8. p = p' and p''. Then, by **and-expd**,

$$\langle p' \text{ and } p'', n, \varepsilon \rangle \xrightarrow{nst} \langle p' \text{ Qand (Qcanrun}(n); p''), n, \varepsilon \rangle$$
.

From this point on, this case is similar to Case 9.

Case 9. p = p' @and p''. There are two subcases.

Case 9.1. isblocked(p', n) is false. There are three subcases.

*Case* 9.1.1. p' = @nop. Then, by **and-nop1** and by the induction hypothesis, there is a  $\delta'$  such that

$$\langle \text{enop eand } p'', n, \varepsilon \rangle \xrightarrow[nst]{1} \langle p'', n, \varepsilon \rangle \xrightarrow[nst]{*} \delta'_{\# nst}$$
.

Case 9.1.2. p' = break. Then, by **and-brk1**,

$$\langle \text{break @and } p'', n, \varepsilon \rangle \xrightarrow[nst]{1} \langle clear(p''); \text{ break}, n, \varepsilon \rangle.$$
 (10)

From (10), by Assumption A.8 and seq-nop,

$$\langle clear(p''); \text{ break}, n, \varepsilon \rangle \xrightarrow[nst]{*} \langle \text{@nop; break}, n, \varepsilon \rangle$$
  
 $\xrightarrow[nst]{} \langle \text{break}, n, \varepsilon \rangle_{\#nst}.$ 

Case 9.1.3.  $p' \neq @nop$ , break. Then, by the induction hypothesis, there are  $p'_1$  and e such that

$$\langle p', n, \varepsilon \rangle \xrightarrow{*} \langle p'_1, n, e \rangle_{\#nst}$$
.

By item (c) of Lemma A.7,

$$\langle p' \text{ Qand } p'', n, \varepsilon \rangle \xrightarrow{*} \langle p'_1 \text{ Qand } p'', n, e \rangle$$
.

It remains to be show that  $\langle p_1'$  @and  $p'', n, e \rangle$  leads to an nested-irreducible description. There are four possibilities following from the fact that the simpler  $\langle p_1', n, e \rangle$  is nested-irreducible.

- 1. If  $e \neq \varepsilon$  then, by definition,  $\langle p'_1 \text{ @and } p'', n, e \rangle_{\#nst}$ .
- 2. If  $p'_1 = \text{@nop}$ , this case is similar to Case 9.1.1.
- 3. If  $p'_1$  = break, this case is similar to Case 9.1.2.
- 4. If  $isblocked(p'_1, n)$ , this case is similar to Case 9.2.

Case 9.2. isblocked(p', n) is true. There are three subcases.

Case 9.2.1. p'' = @nop. Then, by and-nop2,

$$\langle p' \text{ @and @nop}, n, \varepsilon \rangle \xrightarrow[nst]{1} \langle p', n, \varepsilon \rangle_{\#nst}$$
.

Case 9.2.2. p'' = break. Then, by and-brk2,

 $\langle p' \text{ @and break}, n, \varepsilon \rangle \xrightarrow[nst]{1} \langle clear(p'); \text{ break}, n, \varepsilon \rangle$ .

From this point on, this case is similar to Case 9.1.2.

Case 9.2.3.  $p'' \neq @nop$ , break. Then, by the induction hypothesis, there are  $p_1''$  and e such that

$$\langle p'', n, \varepsilon \rangle \xrightarrow{*} \langle p_1'', n, e \rangle_{\#nst}$$
.

By item (e) of Lemma A.7,

$$\langle p' \text{ Qand } p'', n, \varepsilon \rangle \xrightarrow{*} \langle p' \text{ Qand } p''_1, n, e \rangle$$
.

It remains to be show that  $\langle p'$  @and  $p_1'', n, e \rangle$  leads to an nested-irreducible description. There are four possibilities following from the fact that the simpler  $\langle p_1'', n, e \rangle$  is nested-irreducible.

- 1. If  $e \neq \varepsilon$  then, by definition,  $\langle p' \text{ Qand } p''_1, n, e \rangle_{\#nst}$ .
- 2. If  $p_1'' = \text{@nop}$ , this case is similar to Case 9.2.1.
- 3. If  $p_1''$  = break, this case is similar to Case 9.2.2.
- 4. If  $isblocked(p_1'', n)$  then, as both sides are blocked, by definition,  $\langle p' \text{ Qand } p_1'', n, e \rangle_{\#nst}$ .

Case 10. p = p' or p''. Then, by **or-expd**,

$$\langle p' \text{ or } p'', n, \varepsilon \rangle \xrightarrow{nst} \langle p' \text{ @or (@canrun}(n); p''), n, \varepsilon \rangle$$
.

From this point on, this case is similar to Case 11.

Case 11. p = p' @or p''. There are two subcases.

Case 11.1. isblocked(p', n) is false. There are three subcases.

Case 11.1.1. 
$$p' = \text{@nop. Then, by or-nop1},$$
  
 $\langle \text{@nop @or } p'', n, \varepsilon \rangle \xrightarrow{1} \langle \text{clear}(p''), n, \varepsilon \rangle.$  (11)

From (11), by Assumption A.8,

$$\langle clear(p''), n, \varepsilon \rangle \xrightarrow{*} \langle @nop, n, \varepsilon \rangle_{\#nst}$$
.

Case 11.1.2. p' = break. Similar to Case 9.1.2.

Case 11.1.3.  $p' \neq @nop, break$ . Similar to Case 9.1.3.

Case 11.2. isblocked(p', n) is true. There are three subcases.

Case 11.2.1. p'' = @nop. Then, by or-nop2,

$$\langle p' \text{ @or @nop}, n, \varepsilon \rangle \xrightarrow[nst]{1} \langle clear(p'), n, \varepsilon \rangle.$$
 (12)

From (12), by Assumption A.8,

$$\langle clear(p'), n, \varepsilon \rangle \xrightarrow{*} \langle @nop, n, \varepsilon \rangle_{\#nst}$$
.

Case 11.2.2. p'' = break. Similar to Case 9.2.2.

Case 11.2.3.  $p'' \neq @nop, break$ . Similar to Case 9.2.3.

**Definition A.11.** The *potency* of a program p, denoted pot(p), is defined as follows:

$$pot(p) = 1$$
 if  $p = emit_{int}(e)$ 

$$pot(p) = pot(p_1) + pot(p_2)$$
 if  $p = p_1$ ;  $p_2$  or  $p = p_1$  @loop  $p_2$ 

$$1404$$
and  $p_1 \neq \text{await}_{ext} e$ 

$$pot(p) = \max\{pot(p_1), pot(p_2)\}$$
 if  $p = \text{if mem}(id) \text{ then } p_1 \text{ else } p_2 407$ 

or 
$$p = p_1$$
 and  $p_2$  or  $p = p_1$  or  $p_2^{08}$   
or  $p = p_1$  @and  $p_2$  or  $p = p_1$  @or  $p_2$ 

$$pot(p) = 0$$
 otherwise.