

UNIVERSITY NAME

DOCTORAL THESIS

---

## Thesis Title

---

*Author:*  
John SMITH

*Supervisor:*  
Dr. James SMITH

*A thesis submitted in fulfillment of the requirements  
for the degree of Doctor of Philosophy  
in the*

Research Group Name  
Department or School Name

May 19, 2021

*“Thanks to my solid academic training, today I can write hundreds of words on virtually any topic without possessing a shred of information, which is how I got a good job in journalism.”*

Dave Barry

UNIVERSITY NAME

*Abstract*

Faculty Name  
Department or School Name

Doctor of Philosophy

**Thesis Title**

by John SMITH

The Thesis Abstract is written here (and usually kept to just this page). The page is kept centered vertically so can expand into the blank space above the title too...



## *Acknowledgements*

The acknowledgments and the people to thank go here, don't forget to include your project advisor...



# Contents

|                                                                     |            |
|---------------------------------------------------------------------|------------|
| <b>Abstract</b>                                                     | <b>iii</b> |
| <b>Acknowledgements</b>                                             | <b>v</b>   |
| <b>1 Proving semantic preservation in HILECOP</b>                   | <b>1</b>   |
| 1.1 Semantic preserving transformations in the literature . . . . . | 1          |
| 1.1.1 Transformations and proofs of semantic preservation . . . . . | 2          |
| 1.2 The state similarity relation . . . . .                         | 7          |
| 1.3 Behavior Preservation Theorem . . . . .                         | 11         |
| 1.3.1 Proof notations . . . . .                                     | 11         |
| 1.3.2 Preliminary definitions . . . . .                             | 11         |
| 1.3.3 The behavior preservation theorem . . . . .                   | 12         |
| 1.3.4 The bisimulation theorem . . . . .                            | 15         |
| 1.4 A detailed proof: equivalence of fired transitions . . . . .    | 22         |
| <b>A Reminder on natural semantics</b>                              | <b>37</b>  |
| <b>B Reminder on induction principles</b>                           | <b>39</b>  |
| <b>C Semantic preservation proof</b>                                | <b>41</b>  |
| C.1 Initial States . . . . .                                        | 41         |
| C.1.1 Initial states and marking . . . . .                          | 42         |
| C.1.2 Initial states and time counters . . . . .                    | 43         |
| C.1.3 Initial states and reset orders . . . . .                     | 44         |
| C.1.4 Initial states and condition values . . . . .                 | 46         |
| C.1.5 Initial states and action executions . . . . .                | 46         |
| C.1.6 Initial states and function executions . . . . .              | 47         |
| C.2 First Rising Edge . . . . .                                     | 48         |
| C.2.1 First rising edge and marking . . . . .                       | 49         |
| C.2.2 First rising edge and time counters . . . . .                 | 50         |
| C.2.3 First rising edge and reset orders . . . . .                  | 51         |
| C.2.4 First rising edge and action executions . . . . .             | 53         |
| C.2.5 First rising edge and function executions . . . . .           | 53         |
| C.3 Rising Edge . . . . .                                           | 54         |
| C.3.1 Rising Edge and Marking . . . . .                             | 55         |
| C.3.2 Rising edge and condition combination . . . . .               | 55         |
| C.3.3 Rising edge and time counters . . . . .                       | 57         |
| C.3.4 Rising edge and reset orders . . . . .                        | 58         |
| C.3.5 Rising edge and action executions . . . . .                   | 66         |
| C.3.6 Rising edge and function executions . . . . .                 | 66         |

|                     |                                                |           |
|---------------------|------------------------------------------------|-----------|
| C.3.7               | Rising edge and sensitization . . . . .        | 68        |
| <b>C.4</b>          | <b>Falling Edge . . . . .</b>                  | <b>72</b> |
| C.4.1               | Falling Edge and marking . . . . .             | 72        |
| C.4.2               | Falling edge and time counters . . . . .       | 79        |
| C.4.3               | Falling edge and condition values . . . . .    | 85        |
| C.4.4               | Falling and action executions . . . . .        | 85        |
| C.4.5               | Falling edge and function executions . . . . . | 87        |
| C.4.6               | Falling edge and firable transitions . . . . . | 87        |
| <b>Bibliography</b> |                                                | <b>99</b> |

# List of Figures

|     |                                                                                                               |    |
|-----|---------------------------------------------------------------------------------------------------------------|----|
| 1.1 | Simulation diagrams . . . . .                                                                                 | 2  |
| 1.2 | An example of bisimulation diagram . . . . .                                                                  | 6  |
| 1.3 | Bisimulation diagram over one clock cycle for a source SITPN and a target $\mathcal{H}$ -VHDL design. . . . . | 18 |



# List of Tables

|                                                                                                      |    |
|------------------------------------------------------------------------------------------------------|----|
| C.1 Constants and signals reference for the $\mathcal{H}$ -VHDL transition and place designs . . . . | 41 |
|------------------------------------------------------------------------------------------------------|----|



*For/Dedicated to/To my...*



## Chapter 1

# Proving semantic preservation in HILECOP

In this chapter, I want to talk about/draw the attention to:

- The differentiation of boolean operators and intuitionistic logic operators
- The correspondence between combinational signal value and there assignment expression deduced from the code. Explain that this is where the  $\mathcal{H}$ -VHDL semantics plays its part in the proof; although we are not detailing how assignment expressions are deduced from running the semantics of the  $\mathcal{H}$ -VHDL code. Give some examples of correspondence between combinational signal value and assignment expressions (in part “a detailed proof”)
- the properties of comp. instances ifaces deduced from the transformation (in part “a detailed proof”)
- The particularity of the similarity relation for time counters.
- In the part about the implementation, explain that the lemmas about the transformation function are expressed with universal binders rather than with existential ones to avoid the multiple instantiation of components in the proceeding of a proof.

In this chapter, we present our semantic preservation theorem along with its proof. The written proof is about a hundred-page long after compilation of the L<sup>A</sup>T<sub>E</sub>X files. Therefore, we will only present here the “high-level” theorems and lemmas used in the proof, and some hints regarding the proof strategy. The full proof is available to the reader in Appendix C. The theorems and lemmas presented in this chapter will be referring to the lemmas of Appendix C. The structure of this chapter is the following one: in Section 1.1, we present our review of the literature pertaining to the proof of semantic preservation theorems for transformation functions; in Section , we detail our state similarity relation, i.e, the semantic bound between an SITPN and its  $\mathcal{H}$ -VHDL translation; in Section, we draw out our semantic preservation theorem; in Section, we detail a particularly tricky point of the proof related to the computation of fired transitions, and we show how it has led to a bug detection in HILECOP’s code; in Section, we present some points of the mechanization of the proof verification with the Coq proof assistant.

### 1.1 Semantic preserving transformations in the literature

In this section, we present the review of the literature pertaining to the verification of transformation functions. A transformation function is understood here as any kind of mapping from

a source representation to a target representation, where the source and target representations possess a behavior of their own (i.e, they are executable). Here, we will focus on verification techniques based on the proof of semantic preservation theorems. We are interested in how to prove that transformation functions are semantic preserving. Especially, we are interested in the expression of semantic preservation theorems, i.e, what does one mean by semantic preservation, and in seeking usual proof strategies.

The goal is to draw our inspiration from the literature, and to see how far the correspondence holds between our specific case of transformation, and other cases of transformations. The material we used for the literature review is divided in three categories. Each category covers a specific case of transformation function; the three categories are:

- Compilers for generic programming languages
- Compilers for hardware description languages
- Model-to-model and model-to-text transformations

### 1.1.1 Transformations and proofs of semantic preservation

In the introduction of his article about CompCert [11], X.Leroy presents the two points of major importance to express semantic preservation theorems for GPL compilers, and more generally to get the meaning of semantic preservation.

The first point is to clearly state how things are compared between the source and the target programs. It is to describe the runtime state of the source and the target, and to draw a correspondence between two. This is expressed through a state comparison relation.

The second point is to relate the execution of the source program to the execution of the target program through a simulation, or bisimulation, diagram. Figure shows the different kind of simulation diagrams possibly relating two programs. Choosing an adequate simulation diagram to express a semantic preservation theorem depends on the kind of possible behaviors that can exhibit a given program. In the case of GPL programs, X.Leroy lists three kinds of possible behaviors: either the program execution succeeds and returns a value, or the program execution fails and returns an error, or the program execution diverges.



FIGURE 1.1: Simulation diagrams between source and target programs

Anyway, in the case where the source program execution succeeds, the theorem of semantic preservation takes this general form:

Consider a source program  $P_1$  compiled into a target program  $P_2$ , a starting state  $S_1$  for program  $P_1$  and a starting state  $S_2$  for program  $P_2$  such that  $S_1$  and  $S_2$  are similar states w.r.t. the

exhibited state comparison relation. If the execution of  $P_1$  leads from state  $S_1$  to state  $S'_1$ , then there exists a state  $S'_2$  resulting of the execution of program  $P_2$  from state  $S_2$  such that  $S'_1$  and  $S'_2$  are similar w.r.t. the exhibited state comparison relation.

Compiler verification tasks aims at proving the kind of theorem stated above. The other kind of task that can be applied to certify a compiler is to perform compiler validation. Compiler validation is interested in generating a proof of behavior preservation (or a counter-example showing that behaviors diverge) for a given input program alongside the compilation process. Thus, for a given input program, the compiler yields a target program and the proof that the input and target have the same behavior. Exhibiting a theorem of semantic preservation is stronger than building a proof of semantic preservation for each input program. Therefore, compiler verification is stronger than compiler validation. The aim of the thesis is to perform compiler *verification* over the HILECOP methodology. Some of the works, cited afterwards, are more interested in compiler or transformation validation techniques than in verification. They are presented here for the sake of coverage.

Now that we have clarified the meaning of semantic preservation for GPL compilers, we state that this definition of semantic preservation holds also for more general case of transformation from a source representation to a target representation. The only condition to be able to verify that a transformation is semantic preserving is that the source and target representation must have an execution semantics (i.e, the instances of the source and target representations must be executable).

For each article used in the literature review and presenting a specific case of transformation, the following questions have been asked:

- What are the similarities/differences between source and target representations?
- How are described the runtime state for the source and target representations?
- How is expressed the state comparison relation?
- How is stated the semantic preservation theorem?
- What is the employed proof strategy?

### Compilers for generic programming languages

Taking the CompCert compiler as an example, the compilation pass from Clight programs to Cminor programs is described in [2, 11]. Clight is a subset of the C language, and Cminor is a low-level imperative language. The two languages are endowed with a big-step operational semantics. Here, the execution state of the source and target languages are memory models (of course, we are dealing with programming languages). The memory model is the same for all intermediate language involved in the CompCert compiler. The memory model consists in block references; each block has a lower and an upper bound. To access a data, one has to specify the block reference along with the size of the accessed data (i.e, the data type) and the offset from the start of the block reference (i.e, where to begin the data reading). About the proof of semantic preservation, the most difficult point is to relate the memory state of the source program to the memory states of the target program. To do so, the authors define a *memory injection* relation that binds the values of source and target together. They also establish a relation to compare execution environments, i.e, the environments holding the declaration of functions, global variables... The proof of semantic preservation is built incrementally: the authors prove a simulation lemma for the

Clight expressions, then for the Clight statements, and finally for the entire Clight program. The proof strategy is to reason by induction over the evaluation relation of the Clight programs, and to perform case analysis on the translation function.

The pattern to compiler verification for GPLs is more or less the same as presented above. May it be compilers for imperative languages [11, 14], or compilers for functional languages [7, 15], compiler verification proceeds as follows:

1. establish a relation between the memory models of the source and target languages, and between the global execution environments
2. prove simulation lemmas starting from simple constructs, and building up incrementally to consider entire programs
3. reason by induction over the evaluation relation of the source language, and the translation function

Relating memory models is more difficult when the gap between the source and target languages is important (for instance, the translation of Cminor programs into RTL programs in [11]). As a consequence, the complexity of the relation for memory model comparison increases.

### Compilers for hardware description languages

In the case of HDL compilers, proving semantic preservation is very similar to the case of GPL compilers. Of course, the difference lies in the semantics of HDL languages, and in the description of execution states. The semantics of HDLs is intrinsically related to the notion of execution over time, or over multiple clock cycles; indeed, we are dealing with reactive systems. Therefore, the semantic preservation theorems are formulated w.r.t. the synchronous or time-related semantics of the considered languages.

In [3, 5], the source languages are a subset of the BlueSpec specification language for hardware synthesis , and the target is an RTL representation of the circuit. The execution states of the source and target are based on registers. In [3], the execution state also hold a log of the read and write operations of the input program, and this log is compared to the log of the RTL representation. The semantic preservation theorem states that the registers hold the same values after the execution of source program and the resulting RTL circuit after one clock cycle.

In [4], the source language is a subset of Lustre and the target language is imperative language called Obc. A Lustre program is composed of nodes; each node treats a set of input streams and publishes output streams after the computation of its statement body. In its statement body, a Lustre node possibly refer to instances of other nodes. In the compilation process, each Lustre node is translated into an Obc class. An Obc class hold a vector of variables composing its internal memory and a vector of other Obc class instances. The authors define a data flow semantics for the Lustre language; judgments of the semantics describe how output streams are computed based on input streams. Also, as we are dealing with hardwares, the judgments treat synchronous statements and combinational ones. On the side of the Obc language, the semantics define a function *step* that computes the execution the Obc classes over one clock cycle. To prove the semantic preservation theorem, the state comparison relation binds the values of input and output streams on one side to the values of variables and Obc class instances on the other side. The semantic preservation theorem is as follows: if a Lustre node yields output streams *o* from input streams *i*, then the iterative execution of the *step* function for the corresponding Obc class builds every step of output streams *o* given the values of input streams *i*. The proof is done by induction

over the clock step count, and by induction over the evaluation derivation of the nody instruction body.

In [12], the HDL compiler translates Verilog modules into netlists. The execution state of Verilog module holds the value of the variables declared in the module. The execution state of a netlist circuit holds the value of the registers declared in the circuit. Therefore, the state comparison relation used to state the semantic preservation theorem binds the values of variables on one side to the values of registers on the other side. The semantics of Verilog resembles the one of VHDL; the set of processes composing a module are executed w.r.t. the simulation semantics of the language, i.e, composed of synchronous and combinational execution steps. The semantics of netlists is set as a big-step operational semantics by means of an interpreter that runs a netlist list over  $n$  clock cycles. The semantic preservation theorem is as follows: Assuming that a module is transformed into a circuit, and that some well-formation hypotheses hold on the module, if the module executes without error, and yields a final state  $v_{env}$ , then there exists a final state  $c_{env}$  yielded by the execution of the circuit over  $n$  clock cycles s.t.  $v_{env}$  and  $c_{env}$  are similar according to the relation  $verilog\_netlist\_rel$ . Here, the  $verilog\_netlist\_rel$  is the state comparison relation.

In [17], the compiler transforms programs of the synchronous language SIGNAL into Synchronous Clock Guarded Actions programs (S-CGA programs). A SIGNAL program describes a set of processes; each process holds a set of equations describing the relation between signals. The equations can be synchronous equations (referring to a clock) or combinational ones. An S-CGA program defines a set of actions to be applied to some variables when some conditions (the guards) are met. The SIGNAL (resp. the S-CGA) language has been endowed with a trace semantics describing the computation of signal values (resp. variable values) over time. The authors describe a function to translate the traces of SIGNAL and S-CGA programs into a common trace model. Thus, the semantic preservation theorem is stated by comparing two traces of execution defined through the same model. The proof of the semantic preservation theorem is built incrementally. For each statement of a SIGNAL process, the authors exhibit a lemma proving that the trace resulting from the execution of the statement is equivalent to the trace resulting of the execution of the corresponding guarded actions (obtained through the compilation). The proof is fully mechanized within the Coq proof assistant.

In [10], the authors verify a methodology to design hardware models with SystemC models. SystemC models describe hardware with modules; a module is a C++ class with ports, data members and methods. The methodology describes a transformation from SystemC into Abstract State Machine (ASM) thus enabling to model-check the hardware models. ASMs are described in the language AsmL; in AsmL, an ASM is implemented by a class with data members and methods. A denotational (fixpoint) semantics for SystemC modules is defined along with a denotational semantics for AsmL. The semantics is another variant of simulation cycle, similar to all other synchronous languages. There are two phases: evaluate and update and the gap between the two is called a delta-delay. The execution state of a SystemC module is divided into a signal store, mapping signal to value, and a variable store, mapping variable to value. The execution state of an AsmL class is only composed of a variable store. The theorem of semantic preservation states that, after translation, a SystemC model has the same *observational* behavior than its corresponding AsmL class. What is compared between a SystemC model and its corresponding AsmL class through their observational behavior is the activity of the processes of the first one and the activity of the methods of the second one. Processes and methods must be active at the same delta cycles. Therefore, what is compared here are not the values that the execution states hold, but rather the activity of the source and target programs.

## Model transformations

Regarding model transformations, a lot of works consider semantic preservation as the preservation of structural properties in the transformed model [1, 6, 13].

Still, there are many cases where the source model and the target one have both an execution semantics. In these cases, the authors are interested in proving that the transformation is semantic preserving by showing that the computation of the source model and the target model follow a simulation relation (see Figure 1.1).

In [8] and [16], the authors are interested in giving a translational semantics to a given model having itself a reference execution semantics. In [8], the source models are called xSpem models; they describe a set of activities exchanging resources and an holding an internal state. The target models are PNs. Both xSpem models and PNs have a state transition semantics. The state comparison is performed by checking the correspondence between each current status of the activities described in an xSpem model and the marking of the PN. Then, the authors prove a bisimulation theorem, illustrated in Figure 1.2.



FIGURE 1.2: Bisimulation diagram relating an xSpem model execution and a Petri net execution

In Figure 1.2, on the right side of the diagram, i.e., the Petri net side, one can see that a Petri net possibly performs many internal actions (represented by the arrow  $\xrightarrow{\tau}^*$ ) before and after executing the computation step that is interesting for the proof (i.e., action  $\lambda$ ). Referring to the diagrams of Figure 1.1, this is a case of “star” simulation. The proof is performed by reasoning by induction on the structure of the xSpem model, and then by reasoning of the state transition semantics of xSpem models and PNs.

In [16], the authors describe a transformation from a model of the AADL formalism (Architecture Analysis and Design Language) to a particular kind of Abstract State Machine (ASM) called Timed Abstract State Machines (TASM). To verify that the transformation is semantic preserving, the authors define the semantics of AADL models and TASMs through Timed Transition Systems (TTSs). Thus, the execution state of an AADL model is the execution state of the corresponding TTS, and the same holds for a TASM. Comparing the state of two TTSs is easier than comparing the state of two different models. Then, the authors prove a strong bisimulation theorem to verify that the transformation is semantic preserving. The whole proof is mechanized within the Coq proof assistant.

In [9], the authors describe a transformation from LLVM-labelled Petri nets to LLVM programs, where LLVM is low-level assembly language. Precisely, the generated LLVM program implements the state space of the source Petri net (i.e., the graph of reachable markings). The authors want to

verify if an LLVM program trully implements the PN state space, i.e if each marking present in the PN state space can be reached by running a specific  $fire_t$  function on the generated LLVM program. The state of an LLVM program is defined by a memory model composed of a heap and a stack. The marking of an LLVM-labelled PN is defined in such a manner that the correspondence with the LLVM program memory model is straight-forward. The PN model has a classical firing semantics, and LLVM programs follow a small-step operational semantics. The semantic preservation theorem states that for all transition  $t$  being fired, leading from marking  $M$  to marking  $M'$ , then applying running the  $fire_t$  function over the generated LLVM program at state  $LM$  (such that  $LM$  implements marking  $M$ ) leads to a new state  $LM'$ , such that  $LM'$  implements marking  $M'$ . To prove this theorem, the authors proceed by induction on the number of places of the Petri net.

### Discussions on transformations and proof strategies

In this thesis, we are interested in the verification of a semantic preservation property for a given transformation by proving a bisimulation theorem. To achieve this kind of proof task, the proceedings are quite similar, at least in the three cases of transformation presented above (i.e, GPLs compilation, HDLs compilation and model transformations). Even though the source and target languages or models are different from one case of transformation to the other, however, bisimulation theorems carry the same structure. The state comparison relation and the choice of the bisimulation diagram are the two angular stones of the process.

One can notice that when verifying the transformation of HDL programs, the bisimulation theorems are expressed around a time-related computational step. It can either be a clock cycle, or another kind of time step. The state equivalence checking is made at the end this time-related computational step. This differs from the expression of bisimulation theorems for GPLs, where a computational step is not related to time, but rather expresses the one-time computation of programs.

Concerning proof strategies, in the case of programming languages, proving the bisimulation theorems are systematically done by induction over the semantics relation of the source languages. The semantics relation are themselves defined by following the inductive structure of the language ASTs. In the case of model transformations, when the source model permits it, the proofs are performed similarly by applying inductive reasoning over the structure of the input model. This enable compositional reasoning, i.e: to split the difficulty of proving the bisimulation theorem into simpler lemmas about the execution of simpler programs or simple model structures.

## 1.2 The state similarity relation

Before stating the behavior preservation theorem, we must clarify the meaning of semantic preservation between an SITPN and a  $\mathcal{H}$ -VHDL design. To do so, we must define:

1. what does semantical matching means between an SITPN state and an  $\mathcal{H}$ -VHDL state?
2. when, in the course of the execution of an SITPN and an  $\mathcal{H}$ -VHDL design, does this semantical matching must hold?

We must relate the elements that constitute the execution state of an SITPN to the elements that constitute the execution state of an  $\mathcal{H}$ -VHDL design. An SITPN state is an abstract structure relating the places, transitions, actions, functions and conditions of a given SITPN to the values of certain domains (see Section ). A  $\mathcal{H}$ -VHDL design state is composed a signal store mapping signals

Add ref.

to values, and of a component store mapping component instances to their own internal states. Thanks to the binder function  $\gamma$  generated alongside the transformation from an SITPN to a  $\mathcal{H}$ -VHDL design, we are able to relate the elements of the SITPN structure to the component instances and signals on the  $\mathcal{H}$ -VHDL side. Thus, the state similarity relation expressing a semantical match between an SITPN state and an  $\mathcal{H}$ -VHDL design is defined as follows:

**Definition 1** (General state similarity). *For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ , and a binder  $\gamma \in WM(sitpn, d)$ , an SITPN state  $s \in S(sitpn)$  and a design state  $\sigma \in \Sigma(\Delta)$  are similar, written  $\gamma \vdash s \sim \sigma$  iff*

1.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, s.M(p) = \sigma(id_p)(\text{"s_marking"})$ .
2.  $\forall t \in T_i, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(upper(I_s(t)) = \infty \wedge s.I(t) \leq lower(I_s(t)) \Rightarrow s.I(t) = \sigma(id_t)(\text{"s_time_counter"}))$   
 $\wedge (upper(I_s(t)) = \infty \wedge s.I(t) > lower(I_s(t)) \Rightarrow \sigma(id_t)(\text{"s_time_counter"}) = lower(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s.I(t) > upper(I_s(t)) \Rightarrow \sigma(id_t)(\text{"s_time_counter"}) = upper(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s.I(t) \leq upper(I_s(t)) \Rightarrow s.I(t) = \sigma(id_t)(\text{"s_time_counter"}))$ .
3.  $\forall t \in T_i, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, s.reset_t(t) = \sigma(id_t)(\text{"s_reinit_time_counter"})$ .
4.  $\forall c \in C, id_c \in Ins(\Delta) \text{ s.t. } \gamma(c) = id_c, s.cond(c) = \sigma(id_c)$ .
5.  $\forall a \in A, id_a \in Outs(\Delta) \text{ s.t. } \gamma(a) = id_a, s.ex(a) = \sigma(id_a)$ .
6.  $\forall f \in F, id_f \in Outs(\Delta) \text{ s.t. } \gamma(f) = id_f, s.ex(f) = \sigma(id_f)$ .

In Item 1, based on the  $\gamma$  binder, we relate the marking value of a place  $p$  to the value of the  $s\_marking$  signal inside the internal state of the place component instance  $id_p$ . Items 2 and 3 similarly relate the value of time counters (resp. reset orders) of transitions to the value of the signals  $s\_time\_counter$  (resp.  $s\_reinit\_time\_counter$ ) in the internal state of the corresponding transition component instances. In item 4 (resp. 5 and 6), the boolean value of conditions (resp. actions and functions) are compared to the value of input (resp. output) ports of the  $\mathcal{H}$ -VHDL design, also based on the  $\gamma$  binder.

Explain the time counter particular relation.

The second question that we asked above was: when does this state similarity relation must hold in the course of the execution? The source and target representations are both synchronously executed. Thus, we find it natural to check that the state similarity relation holds at the end of a clock cycle. However, due to modifications resulting after a bug detection and correction (see Section 1.4), the state similarity relation of Definition 1.2 does not hold at the end of a clock cycle. The equality between reset orders (Item 3) is not verified. However, this semantic divergence is without effect. New reset orders are computed at the beginning of a clock cycle such that the relation of Item 3 holds in the middle of the clock cycle (i.e, just before the falling edge of the clock). This is the only moment during the clock cycle where the  $s\_reinit\_time\_counter$  signal is actually involved in the computation of other signals value. Thus, it is sufficient that Item 3 holds only in the middle of the clock cycle. However, we must now defined two state similarity relation; one that checks the semantic matching after the rising edge of the clock signal (i.e, in the middle of the clock cycle), and one that checks the semantic matching after the falling edge of the clock signal (i.e, at the end of the clock cycle). The state similarity relation after a rising edge is defined as follows:

**Definition 2** (Post rising edge state similarity). For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ , and a binder  $\gamma \in WM(sitpn, d)$ , an SITPN state  $s \in S(sitpn)$  and a design state  $\sigma \in \Sigma(\Delta)$  are similar after a rising edge happening, written  $\gamma \vdash s \xrightarrow{\uparrow} \sigma$  iff

1.  $\forall p \in P, id_p \in Comps(\Delta)$  s.t.  $\gamma(p) = id_p, s.M(p) = \sigma(id_p)(“s\_marking”)$ .
2.  $\forall t \in T_i, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t,$   
 $(upper(I_s(t)) = \infty \wedge s.I(t) \leq lower(I_s(t))) \Rightarrow s.I(t) = \sigma(id_t)(“s\_time\_counter”))$   
 $\wedge (upper(I_s(t)) = \infty \wedge s.I(t) > lower(I_s(t))) \Rightarrow \sigma(id_t)(“s\_time\_counter”) = lower(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s.I(t) > upper(I_s(t))) \Rightarrow \sigma(id_t)(“s\_time\_counter”) = upper(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s.I(t) \leq upper(I_s(t))) \Rightarrow s.I(t) = \sigma(id_t)(“s\_time\_counter”)).$
3.  $\forall t \in T_i, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t, s.reset_t(t) = \sigma(id_t)(“s\_reinit\_time\_counter”)$ .
4.  $\forall a \in A, id_a \in Outs(\Delta)$  s.t.  $\gamma(a) = id_a, s.ex(a) = \sigma(id_a)$ .
5.  $\forall f \in \mathcal{F}, id_f \in Outs(\Delta)$  s.t.  $\gamma(f) = id_f, s.ex(f) = \sigma(id_f)$ .

Definition 2 is similar to Definition 1 in all points, except for the value of conditions. A condition of an SITPN is implemented by an primary input port in the resulting  $\mathcal{H}$ -VHDL design. In  $\mathcal{H}$ -VHDL semantics, the value of primary input ports (i.e, the input ports of the top-level design) are updated at each clock edge. In the SITPN semantics, the value of conditions are updated only at the falling edge of the clock. Consider that a given SITPN is executed at clock cycle  $\tau$ ; after the rising edge of the clock, the value of conditions are equal to their value at clock cycle  $\tau - 1$ , whereas the value primary input ports have been updated to fresh values. Thus, we will have to wait for the next falling edge to reach the equality between condition values and input port values.

The state similarity relation draws out a correspondence between the values hold by an SITPN state and the values of the signals declared in an  $\mathcal{H}$ -VHDL design state. However, to complete the proof of semantic preservation, we sometimes have to relate the value of signals to the value of expressions or predicates involved in the SITPN semantics. For instance, consider a given SITPN state  $s$  and a given  $\mathcal{H}$ -VHDL design state  $\sigma$ , and consider a transition  $t$  and its corresponding transition component instance  $id_t$ . It is useful to show that, after a rising edge, the value of signal  $s.enabled$  at state  $\sigma(id_t)$ , where  $\sigma(id_t)$  denotes the internal state of component instance  $id_t$  at state  $\sigma$ , is equal to the predicate  $t \in Sens(s.M)$  stating that the transition  $t$  is sensitized (or *enabled*) by the marking at state  $s$  (i.e,  $s.M$ ). Thus, for the convenience of the proof, we enrich our definitions of the state similiarity relations with formulas relating  $\mathcal{H}$ -VHDL signals to SITPN semantics predicates and expressions. Consequently, the *full* post rising edge state similarity relation is defined as follows:

**Definition 3** (Full post rising edge state similarity). For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ , and a binder  $\gamma \in WM(sitpn, d)$ , a clock cycle count  $\tau \in \mathbb{N}$ , and an SITPN execution environment  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ , an SITPN state  $s \in S(sitpn)$  and a design state  $\sigma \in \Sigma(\Delta)$  are fully similar after a rising edge happening at clock cycle count  $\tau$ , written  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$  iff  $\gamma \vdash s \xrightarrow{\uparrow} \sigma$  (Definition 2) and

1.  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t, t \in Sens(s.M) \Leftrightarrow \sigma(id_t)(“s\_enabled”) = \text{true}$ .
2.  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t, t \notin Sens(s.M) \Leftrightarrow \sigma(id_t)(“s\_enabled”) = \text{false}$ .

3.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$

$$\sigma(id_t)(\text{"s\_condition\_combination"}) = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

where  $\text{conds}(t) = \{c \in \mathcal{C} \mid \mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1\}.$

**Definition 3** extends Definition 2 with the correspondence of the sensitization of transitions and the value of signal  $s\_enabled$ , and the computation of the boolean product of condition values and the value of signal  $s\_condition\_combination$ .

The state similarity relation after a falling edge is defined as follows:

**Definition 4** (Post falling edge state similarity). *For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in \text{design}$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ , and a binder  $\gamma \in WM(sitpn, d)$ , an SITPN state  $s \in S(sitpn)$  and a design state  $\sigma \in \Sigma(\Delta)$  are similar after a falling edge, written  $\gamma \vdash s \overset{\downarrow}{\sim} \sigma$  iff*

1.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, s.M(p) = \sigma(id_p)(\text{"s_marking"}).$
2.  $\forall t \in T_i, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(upper(I_s(t)) = \infty \wedge s.I(t) \leq lower(I_s(t))) \Rightarrow s.I(t) = \sigma(id_t)(\text{"s_time_counter"})$   
 $\wedge (upper(I_s(t)) = \infty \wedge s.I(t) > lower(I_s(t))) \Rightarrow \sigma(id_t)(\text{"s_time_counter"}) = lower(I_s(t))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s.I(t) > upper(I_s(t))) \Rightarrow \sigma(id_t)(\text{"s_time_counter"}) = upper(I_s(t))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s.I(t) \leq upper(I_s(t))) \Rightarrow s.I(t) = \sigma(id_t)(\text{"s_time_counter"}).$
3.  $\forall c \in \mathcal{C}, id_c \in Ins(\Delta) \text{ s.t. } \gamma(c) = id_c, s.cond(c) = \sigma(id_c).$
4.  $\forall a \in \mathcal{A}, id_a \in Outs(\Delta) \text{ s.t. } \gamma(a) = id_a, s.ex(a) = \sigma(id_a).$
5.  $\forall f \in \mathcal{F}, id_f \in Outs(\Delta) \text{ s.t. } \gamma(f) = id_f, s.ex(f) = \sigma(id_f).$

As explained above, Definition 4 is similar to Definition 1 except for the equality between reset orders and the value of signal  $s\_reinit\_time\_counter$ .

The extended version of the post falling edge state similarity relation is as follows:

**Definition 5** (Full post falling edge state similarity). *For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in \text{design}$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ , and a binder  $\gamma \in WM(sitpn, d)$ , an SITPN state  $s \in S(sitpn)$  and a design state  $\sigma \in \Sigma(\Delta)$  are fully similar after a falling edge, written  $\gamma \vdash s \overset{\downarrow}{\approx} \sigma$  iff  $\gamma \vdash s \overset{\downarrow}{\sim} \sigma$  (Definition 4) and*

1.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in Firable(s) \Leftrightarrow \sigma(id_t)(\text{"s_firable"}) = \text{true}.$
2.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \notin Firable(s) \Leftrightarrow \sigma(id_t)(\text{"s_firable"}) = \text{false}.$
3.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in Fired(s) \Leftrightarrow \sigma(id_t)(\text{"fired"}) = \text{true}.$
4.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \notin Fired(s) \Leftrightarrow \sigma(id_t)(\text{"fired"}) = \text{false}.$
5.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, \sum_{t \in Fired(s)} pre(p, t) = \sigma(id_p)(\text{"s_output_token_sum"}).$
6.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, \sum_{t \in Fired(s)} post(t, p) = \sigma(id_p)(\text{"s_input_token_sum"}).$

Definition 5 extends Definition 4 by drawing out a correspondence between:

- the firability of transitions and the value of the signal  $s\_firable$
- the firing status of transitions (i.e, transitions are fired or not) and the value of the output port  $fired$
- the sum of tokens consumed by the firing process and the value of the signal  $s\_output\_token\_sum$
- the sum of tokens produced by the firing process and the value of the signal  $s\_input\_token\_sum$

## 1.3 Behavior Preservation Theorem

In this section, we will lay out the major theorems and lemmas stating that the HILECOP transformation function is semantic preserving. We will also present the written proofs for these theorems and lemmas.

### 1.3.1 Proof notations

To add some readability to our proofs, we use the following notations:

- At the point of reading, the most recent framed box denotes the current pending goal (what we are currently trying to prove):  $\boxed{\forall n \in \mathbb{N}, n > 0 \vee n = 0}$
- A red framed box denotes a completed goal (i.e, equivalent to qed):  $\text{true} = \text{true}$
- A green framed box denotes the current induction hypothesis:

$$\boxed{\forall n \in \mathbb{N}, n + 1 > 0}$$

- The mention **CASE** directly follows an item bullet to denote a case during a proof by case analysis.

During a proof, we constantly refer to the names of the constants and signals declared in the  $\mathcal{H}$ -VHDL place and transition designs. Some constants and signals have very long names, and therefore we use aliases to refer to them in the following proofs. Table C.1 gives the full correspondence between constants and signals, and their aliases.

### 1.3.2 Preliminary definitions

We define here some relations that are necessary to formalize the theorem of behavior preservation.

In an SITPN, the conditions associated to transitions receive fresh boolean values from an execution environment at each falling edge of the clock. During the simulation of a top-level design, the input ports of the design receive fresh values from a simulation environment at each clock event. The transformation function generates an input port in the top-level design that will mimick the behavior of a given SITPN condition. The binder  $\gamma$ , generated alongside the top-level design, relates a given condition  $c$  to its corresponding input port identifier  $id_c$ . To compare the execution/simulation traces of an SITPN and a  $\mathcal{H}$ -VHDL design, we must assume that the execution/simulation environments assign similar values to conditions and to their corresponding input ports at a given clock cycle. Definition 6 states that the execution environment for a given SITPN and the simulation environment for a given  $\mathcal{H}$ -VHDL design are similar.

**Definition 6** (Similar environments). For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , a design store  $\mathcal{D} \in entity-id \rightarrow design$ , an elaborated version  $\Delta \in ElDesign(d, \mathcal{D})$  of design  $d$ , and a binder  $\gamma \in WM(sitpn, d)$ , the environment  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ , that yields the value of the primary input ports of  $\Delta$  at a given simulation cycle and a given clock event, and the environment  $E_c$ , that yields the value of conditions of  $sitpn$  at a given execution cycle, are similar, noted  $\gamma \vdash E_p \stackrel{env}{=} E_c$ , iff for all  $\tau \in \mathbb{N}$ ,  $clk \in \{\uparrow, \downarrow\}$ ,  $c \in C$ ,  $id_c \in Ins(\Delta)$  s.t.  $\gamma(c) = id_c$ ,  $E_p(\tau, clk)(id_c) = E_c(\tau)(c)$ .

Definition 6 also states that every input port of the top-level design related to a SITPN condition by the  $\gamma$  binder has a stable boolean value during a whole clock cycle. That is to say, in the context of Definition 6, there exists no  $id_c$  such that  $E_p(\tau, \uparrow)(id_c) \neq E_p(\tau, \downarrow)(id_c)$ .

To prove that the behavior of an SITPN and a  $\mathcal{H}$ -VHDL design are similar, we want to compare the states composing their execution/simulation traces. The relation presented in Definition 7 permits to compare such traces.

**Definition 7** (Execution trace similarity). For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_H)$ , and a binder  $\gamma \in WM(sitpn, d)$ , the execution trace  $\theta_s \in list(S(sitpn))$  and the simulation trace  $\theta_\sigma \in list(\Sigma(\Delta))$  are similar, written  $\gamma \vdash \theta_s \stackrel{clk}{\sim} \theta_\sigma$ , where  $clk \in \{\uparrow, \downarrow\}$ , according to the following rules:

$$\frac{\text{SIMTRACENIL}}{\gamma \vdash [] \stackrel{clk}{\sim} []} \quad \frac{\text{SIMTRACE}\uparrow \quad \text{SIMTRACE}\downarrow}{\gamma \vdash s \stackrel{\uparrow}{\sim} \sigma \quad \gamma \vdash \theta_s \stackrel{\downarrow}{\sim} \theta_\sigma \quad \gamma \vdash s \stackrel{\downarrow}{\sim} \sigma \quad \gamma \vdash \theta_s \stackrel{\uparrow}{\sim} \theta_\sigma} \quad \frac{}{\gamma \vdash (s :: \theta_s) \stackrel{\uparrow}{\sim} (\sigma :: \theta_\sigma) \quad \gamma \vdash (s :: \theta_s) \stackrel{\downarrow}{\sim} (\sigma :: \theta_\sigma)}$$

In Definition 7, the clock event symbol on top of the  $\sim$  sign indicates the kind of clock event that led to the production of the states at the head of the traces. The execution trace similarity relation expects that the states composing the traces have been alternatively produced by a rising edge and then by a falling edge. By construction, the traces must have the same length to respect the execution trace similarity relation.

To handle the case of an execution/simulation trace beginning by a initial state, that is, a state neither reached after a rising nor after falling edge, we give a slightly different definition of the execution trace similarity relation in Definition 8.

**Definition 8** (Full execution trace similarity). For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_H)$ , and a binder  $\gamma \in WM(sitpn, d)$ , the execution trace  $\theta_s \in list(S(sitpn))$  and the simulation trace  $\theta_\sigma \in list(\Sigma(\Delta))$  are fully similar, written  $\gamma \vdash \theta_s \sim \theta_\sigma$ , according to the following rules:

$$\frac{\text{FULLSIMTRACENIL}}{\gamma \vdash [] \sim []} \quad \frac{\text{FULLSIMTRACECONS}}{\gamma \vdash s \sim \sigma \quad \gamma \vdash \theta_s \stackrel{\uparrow}{\sim} \theta_\sigma \quad \gamma \vdash (s :: \theta_s) \sim (\sigma :: \theta_\sigma)}$$

The full execution trace similarity relation indicates that the head states of traces must verify the general state similarity relation, and that the tail of the traces must respect the execution state similarity relation starting with a rising edge.

### 1.3.3 The behavior preservation theorem

Theorem 1 states that the HILECOP transformation is semantic preserving when the input model is a well-defined SITPN. As a complementary task, we could show that if the transformation function returns a couple design and binder, and not an error, then the input SITPN is well-defined.

**Theorem 1** (Behavior Preservation). For all well-defined  $sitpn \in SITPN$ , an  $\mathcal{H}$ -VHDL design  $d \in design$ , a binder  $\gamma \in WM(sitpn, d)$ , a clock cycle count  $\tau \in \mathbb{N}$ , a execution environment  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$  and an execution trace  $\theta_s \in list(S(sitpn))$  s.t.

- SITPN  $sitpn$  translates into design  $d$  and yields a binder  $\gamma$ :  $[sitpn]_{\mathcal{H}} = (d, \gamma)$
- SITPN  $sitpn$  yields the execution trace  $\theta_s$  after  $\tau$  execution cycles in environment  $E_c$ :  
 $E_c, \tau \vdash sitpn \xrightarrow{full} \theta_s$

then there exists an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$  s.t. for all simulation environment  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ , verifying

- Simulation/Execution environments are similar:  $\gamma \vdash E_p \xrightarrow{env} E_c$

then there exists a simulation trace  $\theta_{\sigma} \in list(\Sigma(\Delta))$  s.t.

- Under the HILECOP design store  $\mathcal{D}_{\mathcal{H}}$  and with an empty generic constant dimensioning function ( $\emptyset$ ), design  $d$  yields the simulation trace  $\theta_{\sigma}$  after  $\tau$  simulation cycles:  
 $\mathcal{D}_{\mathcal{H}}, \Delta, \emptyset, E_p, \tau \vdash d \xrightarrow{full} \theta_{\sigma}$
- Traces  $\theta_s$  and  $\theta_{\sigma}$  are fully similar:  $\theta_s \sim \theta_{\sigma}$

*Proof.* Given a  $sitpn \in SITPN$ , a  $d \in design$ , a  $\gamma \in WM(sitpn, d)$ , a  $\tau \in \mathbb{N}$ , an  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$  and a  $\theta_s \in list(S(sitpn))$ , let us show that

$$\exists \Delta, \forall E_p, \gamma \vdash E_p \xrightarrow{env} E_c, \exists \theta_{\sigma} \text{ s.t. } \mathcal{D}_{\mathcal{H}}, \Delta, \emptyset, E_p, \tau \vdash d \xrightarrow{full} \theta_{\sigma} \wedge \theta_s \sim \theta_{\sigma}$$

Appealing to Theorems **Elaboration**, **Initialization** and **Simulation**, let us take an elaborated design  $\Delta$ , two design states  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$ , and a simulation trace  $\theta_{\sigma} \in$  such that:

- $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{elab} (\Delta, \sigma_e)$
- $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma_e \vdash d.cs \xrightarrow{init} \sigma_0$
- $\mathcal{D}_{\mathcal{H}}, E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta_{\sigma}$

By definition of the  $\mathcal{H}$ -VHDL full simulation relation, we have:

$$\begin{aligned} \mathcal{D}_{\mathcal{H}}, \Delta, \emptyset, E_p, \tau \vdash d \xrightarrow{full} \theta_{\sigma} &\equiv \exists \sigma_e, \sigma_0 \in \Sigma(\Delta), \mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{elab} (\Delta, \sigma_e) \\ &\quad \wedge \mathcal{D}_{\mathcal{H}}, \Delta, \sigma_e \vdash d.cs \xrightarrow{init} \sigma_0 \\ &\quad \wedge \mathcal{D}_{\mathcal{H}}, E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta_{\sigma} \end{aligned} \tag{1.1}$$

Rewriting the goal with (1.1):

$$\exists \Delta, \forall E_p, \gamma \vdash E_p \xrightarrow{env} E_c, \exists \theta_{\sigma}, \sigma_e, \sigma_0 \text{ s.t. } \mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{elab} (\Delta, \sigma_e) \wedge \mathcal{D}_{\mathcal{H}}, \Delta, \sigma_e \vdash d.cs \xrightarrow{init} \sigma_0 \wedge \\ \mathcal{D}_{\mathcal{H}}, E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta_{\sigma} \wedge \theta_s \sim \theta_{\sigma}$$

Let us use  $\Delta, \sigma_e, \sigma_0 \in \Sigma(\Delta)$  and  $\theta_{\sigma}$  to prove the goal:

$$\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{\text{elab}} (\Delta, \sigma_e) \wedge \mathcal{D}_{\mathcal{H}}, \Delta, \sigma_e \vdash d.cs \xrightarrow{\text{init}} \sigma_0 \wedge \mathcal{D}_{\mathcal{H}}, E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta_\sigma \wedge \theta_s \sim \theta_\sigma$$

We assumed the three first points of the goal, and the last point, i.e  $\theta_s \sim \theta_\sigma$ , is proved by appealing to Theorem **Full bisimulation**.  $\square$

To prove Theorem 1, we must first prove that for all  $\mathcal{H}$ -VHDL design returned by the transformation function, there exists an elaborated version of it (Theorem **Elaboration**); then, we must prove that we can always build a simulation trace respecting the  $\mathcal{H}$ -VHDL simulation relation over  $\tau$  simulation cycles (Theorem **Initialization** and **Simulation**). Finally, we can establish that the behaviors are similar by comparing the respective SITPN execution and  $\mathcal{H}$ -VHDL simulation traces. In this thesis, we are focusing on the proof that the execution/simulation traces are similar. For now, we choose to disregard the proof of theorems **Elaboration**, **Initialization** and **Simulation** stating the existence of an elaborated design and of a simulation trace for all  $\mathcal{H}$ -VHDL design returned by the HILECOP transformation function.

**Theorem 2** (Elaboration). *For all  $sitpn \in SITPN$ ,  $d \in \text{design}$ ,  $\gamma \in WM(sitpn, d)$  s.t.*

- $\lfloor sitpn \rfloor_{\mathcal{H}} = (d, \gamma)$

*then there exists an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$  and a design state  $\sigma_e \in \Sigma(\Delta)$  s.t.*

- $\Delta$  is the elaborated version of design  $d$ , and  $\sigma_e$  is the default design state of  $\Delta$ :  $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{\text{elab}} (\Delta, \sigma_e)$

**Theorem 3** (Initialization). *For all  $sitpn \in SITPN$ ,  $d \in \text{design}$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e \in \Sigma(\Delta)$  s.t.*

- $\lfloor sitpn \rfloor_{\mathcal{H}} = (d, \gamma)$  and  $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{\text{elab}} (\Delta, \sigma_e)$

*then there exists a design state  $\sigma_0 \in \Sigma(\Delta)$  s.t.*

- $\sigma_0$  is the initial simulation state:  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma_e \vdash d.cs \xrightarrow{\text{init}} \sigma_0$

**Theorem 4** (Simulation). *For all  $sitpn \in SITPN$ ,  $d \in \text{design}$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  s.t.*

- $\lfloor sitpn \rfloor_{\mathcal{H}} = (d, \gamma)$  and  $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{\text{elab}} (\Delta, \sigma_e)$  and  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma_e \vdash d.cs \xrightarrow{\text{init}} \sigma_0$

*then for all simulation environment  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ , and simulation cycle count  $\tau \in \mathbb{N}$ , there exists a simulation trace  $\theta_\sigma \in \text{list}(\Sigma(\Delta))$  s.t.*

- *Design  $d$  yields the simulation trace  $\theta_\sigma$  after  $\tau$  simulation cycles, starting from initial state  $\sigma_0$ :*

$$\mathcal{D}_{\mathcal{H}}, E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta_\sigma$$

### 1.3.4 The bisimulation theorem

Here, we present the bisimulation theorem. The bisimulation theorem states that if an SITPN and its corresponding  $\mathcal{H}$ -VHDL design are executed/simulated over  $\tau$  execution/simulation cycles, then the produced traces are semantically similar, i.e they verify the full execution trace similarity relation of Definition 8. In this thesis, we proved this particular theorem, and as said before, we left the proofs of Theorems Elaboration, Initialization and Simulation) to later. We chose to focus our work on the bisimulation theorem, because it directly addresses the semantic preservation property of HILECOP's transformation function.

**Theorem 5** (Full bisimulation). *For all  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\tau \in \mathbb{N}$ ,  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $\theta_s \in list(S(sitpn))$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ ,  $\theta_{\sigma} \in list(\Sigma(\Delta))$  s.t.*

- $[sitpn]_{\mathcal{H}} = (d, \gamma)$
- $\gamma \vdash E_p \stackrel{env}{=} E_c$
- $E_c, \tau \vdash sitpn \xrightarrow{full} \theta_s$
- $\mathcal{D}_{\mathcal{H}}, \Delta, \emptyset, E_p, \tau \vdash d \xrightarrow{full} \theta_{\sigma}$

then  $\gamma \vdash \theta_s \sim \theta_{\sigma}$

*Proof.* Given all the above variables and assuming the above hypotheses, let us show  $\boxed{\gamma \vdash \theta_s \sim \theta_{\sigma}}$ . Let us perform case analysis on  $\tau$ ; there are two cases:

- **CASE  $\tau = 0$ .** By definition of the SITPN full execution and the  $\mathcal{H}$ -VHDL full simulation relations, we have:

- $E_c, 0 \vdash sitpn \xrightarrow{full} [s_0]$  and  $\theta_s = [s_0]$
- $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{elab} (\Delta, \sigma_e)$  and  $\Delta, \sigma_e \vdash d.cs \xrightarrow{init} \sigma_0$  and  $\mathcal{D}_{\mathcal{H}}, E_p, \Delta, 0, \sigma_0 \vdash d.cs \rightarrow []$  and  $\theta_{\sigma} = [\sigma_0]$

Rewriting  $\theta_s$  as  $[s_0]$ , and  $\theta_{\sigma}$  as  $[\sigma_0]$ , and by definition of the full execution trace similarity relation, what is left to prove is:  $\boxed{\gamma \vdash s_0 \sim \sigma_0}$

Appealing to Lemma Similar Initial States, we can show  $\boxed{\gamma \vdash s_0 \sim \sigma_0}$ .

- **CASE  $\tau > 0$ .** By definition of the SITPN full execution relation (i.e,  $E_c, \tau \vdash sitpn \xrightarrow{full} \theta_s$ ) and the  $\mathcal{H}$ -VHDL full simulation relation (i.e,  $\mathcal{D}_{\mathcal{H}}, \Delta, \emptyset, E_p, \tau \vdash d \xrightarrow{full} \theta_{\sigma}$ ), we have:

- $E_c, \tau \vdash s_0 \xrightarrow{\uparrow_0} s_0$  and  $E_c, \tau \vdash s_0 \xrightarrow{\downarrow} s$  and  $E_c, \tau - 1 \vdash sitpn, s \rightarrow \theta$  and  $\theta_s = s_0 :: s_0 :: s :: \theta$
- $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{elab} (\Delta, \sigma_e)$  and  $\Delta, \sigma_e \vdash d.cs \xrightarrow{init} \sigma_0$  and  $E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta'$  and  $\theta_{\sigma} = \sigma_0 :: \theta'$

Rewriting  $\theta_s$  and  $\theta_{\sigma}$ , the new goal is:  $\boxed{\gamma \vdash (s_0 :: s_0 :: s :: \theta) \sim (\sigma_0 :: \theta')}$

By definition of the  $\mathcal{H}$ -VHDL simulation relation (i.e,  $E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta'$ ), we have:

$E_p, \Delta, \tau, \sigma_0 \vdash d.cs \xrightarrow{\uparrow\downarrow} \sigma, \sigma'$  and  $E_p, \Delta, \tau - 1, \sigma' \vdash d.cs \rightarrow \theta''$  and  $\theta' = \sigma :: \sigma' :: \theta''$

Rewriting  $\theta'$ , the new goal is:  $\boxed{\gamma \vdash (s_0 :: s_0 :: s :: \theta) \sim (\sigma_0 :: \sigma :: \sigma' :: \theta'')}$

By definition of the full execution trace similarity relation, there are four points to prove:

1.  $\boxed{\gamma \vdash s_0 \sim \sigma_0.}$

Appealing to Lemma **Similar Initial States**, we can show  $\boxed{\gamma \vdash s_0 \sim \sigma_0.}$

2.  $\boxed{\gamma, E_c, \tau \vdash s_0 \overset{\uparrow}{\sim} \sigma.}$

Appealing to Lemma **First Rising Edge**, we have  $\gamma, E_c, \tau \vdash s_0 \overset{\uparrow}{\approx} \sigma$ .

By definition of  $\gamma, E_c, \tau \vdash s_0 \overset{\uparrow}{\approx} \sigma$ , we can show  $\boxed{\gamma, E_c, \tau \vdash s_0 \overset{\uparrow}{\sim} \sigma.}$

3.  $\boxed{\gamma \vdash s \overset{\downarrow}{\sim} \sigma'.$

Appealing to Lemma **First Rising Edge** and Lemma **Falling edge**, we have  $\gamma \vdash s \overset{\downarrow}{\approx} \sigma'$ .

By definition of  $\gamma \vdash s \overset{\downarrow}{\approx} \sigma'$ , we can show  $\boxed{\gamma \vdash s \overset{\downarrow}{\sim} \sigma'.$

4.  $\boxed{\gamma \vdash \theta \overset{\uparrow}{\sim} \theta''.$

Appealing to Lemma **First Rising Edge** and Lemma **Falling edge**, we have  $\gamma \vdash s \overset{\downarrow}{\approx} \sigma'$ .

Then, we can appeal to Lemma **Bisimulation** to show  $\boxed{\gamma \vdash \theta \overset{\uparrow}{\sim} \theta''.$

□

In the proof of Theorem 5, in the case where  $\tau > 0$ , we must show that the state similarity relation holds between the states produced by the first execution cycle, and then use Lemma 1 to complete the proof of similarity between the tail traces. First, we must show that the initial states of both SITPN and  $\mathcal{H}$ -VHDL design verify the general state similarity relation (Definition 1); this is done by appealing to Lemma **Similar Initial States**. The first execution cycle is particular because, by definition of the SITPN full execution relation, no transitions are fired during the first rising edge. Therefore, after the first rising edge, the SITPN state is still equal to its initial state  $s_0$ . We prove that the post rising edge similarity relation is verified after the first rising edge by appealing to Lemma **First Rising Edge**. The detailed proofs for Lemmas **Similar Initial States** and **First Rising Edge** are given in Sections C.1 and C.2.

Lemma 1 is similar to Theorem 5 excepts that the execution/simulation traces are not produced starting from the initial states, but starting from two states verifying the full post falling edge state similarity relation (i.e.,  $\gamma \vdash s \overset{\downarrow}{\approx} \sigma$ ). The SITPN execution relation and the  $\mathcal{H}$ -VHDL simulation relation execute one computational step at clock count  $\tau$  and then decrement the clock count and call themselves recursively to produce the rest of the execution/simulation traces. Therefore, the proof of Lemma 1 is naturally done by induction over the clock count  $\tau$ .

**Lemma 1 (Bisimulation).** *For all sitpn, d,  $\gamma$ ,  $E_p$ ,  $E_c$ ,  $\tau$ , s,  $\theta_s$ ,  $\sigma$ ,  $\theta_\sigma$ ,  $\Delta$ ,  $\sigma_e$ , assume that:*

- $\lfloor sitpn \rfloor_{\mathcal{H}} = (d, \gamma)$  and  $\gamma \vdash E_p \stackrel{env}{=} E_c$  and  $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{elab} \Delta, \sigma_e$

- Starting states are fully similar as intended after a falling edge:  $\gamma \vdash s \overset{\downarrow}{\approx} \sigma$
- $E_c, \tau \vdash \text{sitpn}, s \rightarrow \theta_s$
- $E_p, \Delta, \tau, \sigma \vdash d.cs \rightarrow \theta_\sigma$

then  $\gamma \vdash \theta_s \overset{\uparrow}{\sim} \theta_\sigma$ .

*Proof.* Given all the above variables and assuming the above hypotheses, let us show  $\boxed{\gamma \vdash \theta_s \overset{\uparrow}{\sim} \theta_\sigma}$ . Let us reason by induction on  $\tau$ .

- **Base case:**  $\tau = 0$ . Then,  $\sigma_s = \sigma_\sigma = []$  and by definition of the execution trace similarity relation, we can show  $\boxed{\gamma \vdash [] \overset{\uparrow}{\approx} []}$ .
- **Induction case:**  $\tau > 0$ .

$\boxed{\forall s, \sigma, \theta_s, \theta_\sigma \text{ s.t. } \gamma \vdash s \overset{\downarrow}{\approx} \sigma \text{ and } E_c, \tau - 1 \vdash \text{sitpn}, s \rightarrow \theta_s \text{ and } E_p, \Delta, \tau - 1, \sigma \vdash d.cs \rightarrow \theta_\sigma \text{ then } \gamma \vdash \theta_s \overset{\uparrow}{\approx} \theta_\sigma}$

By definition of the SITPN execution and the  $\mathcal{H}$ -VHDL simulation relations for  $\tau > 0$ , we have:

- $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$  and  $E_c, \tau \vdash s' \xrightarrow{\downarrow} s''$  and  $E_c, \tau - 1 \vdash \text{sitpn}, s'' \rightarrow \theta$ .
- $\text{Inject}_\uparrow(\sigma, E_p, \tau, \sigma_i)$  and  $\Delta, \sigma_i \vdash d.cs \xrightarrow{\uparrow} \sigma_\uparrow$  and  $\Delta, \sigma_\uparrow \vdash d.cs \xrightarrow{\rightsquigarrow} \sigma'$
- $\text{Inject}_\downarrow(\sigma', E_p, \tau, \sigma'_i)$  and  $\Delta, \sigma'_i \vdash d.cs \xrightarrow{\downarrow} \sigma_\downarrow$  and  $\Delta, \sigma_\downarrow \vdash d.cs \xrightarrow{\rightsquigarrow} \sigma''$
- $E_p, \Delta, \tau - 1, \sigma'' \vdash d.cs \rightarrow \theta'$ .

and  $\theta_s = s' :: s'' :: \theta$  and  $\theta_\sigma = \sigma' :: \sigma'' :: \theta'$ .

Then, the new goal is:  $\boxed{\gamma \vdash (s' :: s'' :: \theta) \overset{\uparrow}{\sim} (\sigma' :: \sigma'' :: \theta')}$ .

By definition of the execution trace similarity relation, there are three points to prove:

1.  $\boxed{\gamma \vdash s' \overset{\uparrow}{\sim} \sigma'}$

Appealing to Lemma **Falling edge**, we have  $\gamma \vdash s' \overset{\uparrow}{\approx} \sigma'$ .

By definition of  $\gamma \vdash s' \overset{\uparrow}{\approx} \sigma'$ , we can show  $\boxed{\gamma \vdash s' \overset{\uparrow}{\sim} \sigma'}$ .

2.  $\boxed{\gamma \vdash s'' \overset{\downarrow}{\approx} \sigma''}$

Appealing to Lemmas **Falling edge** and **Rising edge**, we have  $\gamma, E_c, \tau \vdash s' \overset{\downarrow}{\approx} \sigma'$ .

By definition of  $\gamma, E_c, \tau \vdash s' \overset{\downarrow}{\approx} \sigma'$ , we can show  $\boxed{\gamma \vdash s' \overset{\downarrow}{\sim} \sigma'}$ .

3.  $\boxed{\gamma \vdash \theta \overset{\uparrow}{\sim} \theta'}$

We can apply the induction hypothesis with  $s = s''$ ,  $\sigma = \sigma''$ ,  $\theta_s = \theta$  and  $\theta_\sigma = \theta'$ . Then, what is left to prove is:  $\boxed{\gamma \vdash s'' \overset{\downarrow}{\approx} \sigma''}$

Appealing to Lemmas **Falling edge** and **Rising edge**, we can show  $\boxed{\gamma \vdash s'' \overset{\downarrow}{\approx} \sigma''}$ .

□

To prove the semantic preservation property, we want to prove that a given SITPN and its translated  $\mathcal{H}$ -VHDL version follow the bisimulation diagram of Figure 1.3. The left part of the diagram presents the execution of an SITPN over one clock cycle, and the right part of the diagram presents the simulation of an  $\mathcal{H}$ -VHDL design over one clock cycle. The upper part of the diagram corresponds to the rising edge phase of the clock cycle, and the lower part illustrates the falling edge phase of the clock cycle. The upper part of the diagram is proved by Lemma **Rising edge**. First, we assume that the starting SITPN state and the starting  $\mathcal{H}$ -VHDL design state verify the full post falling edge state similarity relation at the beginning of the clock cycle (i.e.,  $s \overset{\downarrow}{\approx} \sigma$  in Figure 1.3). Then, Lemma **Rising edge** states that after the computation of a rising edge step on the SITPN part and on the  $\mathcal{H}$ -VHDL part the resulting states verify the full post rising edge state similarity relation. The lower part of the diagram is proved by Lemma **Falling edge**. First, we assume that the starting SITPN state and the starting  $\mathcal{H}$ -VHDL state verify the full post rising edge state similarity relation (i.e.,  $s' \overset{\downarrow}{\approx} \sigma'$  in Figure 1.3). Then, Lemma **Rising edge** states that after the computation of a falling edge step on the SITPN part and on the  $\mathcal{H}$ -VHDL part the resulting states verify the full post falling edge state similarity relation.



FIGURE 1.3: Bisimulation diagram over one clock cycle for a source SITPN and a target  $\mathcal{H}$ -VHDL design.

Here, we present Lemma **Rising edge** and Lemma **Falling edge**, along with their proofs. In the two lemmas, we added an extra hypothesis about the starting state of the  $\mathcal{H}$ -VHDL design:  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma \vdash d.cs \xrightarrow{\text{comb}} \sigma$ . The hypothesis states that all signal values are stable at the beginning of the considered clock phase. This means that the execution of the combinational part of the  $\mathcal{H}$ -VHDL design does not change the value of signals anymore. This hypothesis is mandatory to determine the expression associated to combinational signals, i.e the combinational equations, at the beginning of the clock phase (see Section 1.4 for more details about combinational equations).

To prove Lemmas **Rising edge** and **Falling edge**, one must show that every point of the state similarity relation in the conclusion holds. For each point, the proof is given as a separate lemma that the reader will find in Appendix C. The proof strategy to show the equalities or equivalences laid out in the state similarity relation follows the same two-fold pattern:

- First, reason on the SITPN structure and on the transformation function to determine the content of the target  $\mathcal{H}$ -VHDL design.
- Then, reason on the SITPN state transition relation and the  $\mathcal{H}$ -VHDL “simulation” relations (i.e, the  $\text{Inject}_{clk}$ ,  $\uparrow$ ,  $\downarrow$  and  $\rightsquigarrow$  relations) to establish the equality between the values coming from the SITPN world (i.e, marking, time counters, reset orders, etc. and also predicates) and the values of the signals declared in the  $\mathcal{H}$ -VHDL design and in its internal component instances.

The application of this proof strategy will be detailed in Section 1.4.

**Lemma 2** (Rising edge). *For all  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ ,  $\tau \in \mathbb{N}$ ,  $s, s' \in S(sitpn)$ ,  $\sigma_e, \sigma, \sigma_i, \sigma_{\uparrow}, \sigma' \in \Sigma(\Delta)$ , assume that:*

- $[sitpn]_{\mathcal{H}} = (d, \gamma)$  and  $\gamma \vdash E_p \stackrel{\text{env}}{=} E_c$  and  $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{\text{elab}} \Delta, \sigma_e$
- $\gamma \vdash s \approx \sigma$
- $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$
- $\text{Inject}_{\uparrow}(\sigma, E_p, \tau, \sigma_i)$  and  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma_i \vdash d.cs \xrightarrow{\uparrow} \sigma_{\uparrow}$  and  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma_{\uparrow} \vdash d.cs \rightsquigarrow \sigma'$
- State  $\sigma$  is a stable design state:  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma \vdash d.cs \xrightarrow{\text{comb}} \sigma$

then  $\gamma, E_c, \tau \vdash s' \approx \sigma'$ .

*Proof.* By definition of the **Full post rising edge state similarity** relation, there are 8 points to prove:

1.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, s'.M(p) = \sigma'(id_p)(\text{"s_marking"})$ .
2.  $\forall t \in T_i, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(upper(I_s(t)) = \infty \wedge s'.I(t) \leq lower(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"})$   
 $\wedge (upper(I_s(t)) = \infty \wedge s'.I(t) > lower(I_s(t))) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = lower(I_s(t))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) > upper(I_s(t))) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = upper(I_s(t))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) \leq upper(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"}))$ .

3.  $\forall t \in T_i, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, s'.reset_t(t) = \sigma'(id_t)(\text{"s\_reinit\_time\_counter"})$ .
4.  $\forall a \in \mathcal{A}, id_a \in Outs(\Delta) \text{ s.t. } \gamma(a) = id_a, s'.ex(a) = \sigma'(id_a)$ .
5.  $\forall f \in \mathcal{F}, id_f \in Outs(\Delta) \text{ s.t. } \gamma(f) = id_f, s'.ex(f) = \sigma'(id_f)$ .
6.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in Sens(s'.M) \Leftrightarrow \sigma'(id_t)(\text{"s\_enabled"}) = \text{true}$ .
7.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \notin Sens(s'.M) \Leftrightarrow \sigma'(id_t)(\text{"s\_enabled"}) = \text{false}$ .
8.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$   

$$\sigma'(id_t)(\text{"s\_condition\_combination"}) = \prod_{c \in cond_s(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

where  $cond_s(t) = \{c \in \mathcal{C} \mid \mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1\}$ .

Each point is proved by a separate lemma:

- Apply Lemma [Rising Edge Equal Marking](#) to solve 1.
- Apply Lemma [Rising Edge Equal Time Counters](#) lemma to solve 2.
- Apply Lemma [Rising Edge Equal Reset Orders](#) to solve 3.
- Apply Lemma [Rising Edge Equal Action Executions](#) to solve 4.
- Apply Lemma [Rising Edge Equal Function Executions](#) to solve 5.
- Apply Lemma [Rising Edge Equal Sensitized](#) to solve 6.
- Apply Lemma [Rising Edge Equal Not Sensitized](#) to solve 7.
- Apply Lemma [Rising Edge Equal Condition Combination](#) to solve 8.

□

**Lemma 3** (Falling edge). *For all  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $\Delta \in ElDesign(d, \mathcal{D}_H)$ ,  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ ,  $\tau \in \mathbb{N}$ ,  $s, s' \in S(sitpn)$ ,  $\sigma_e, \sigma, \sigma_i, \sigma_\downarrow, \sigma' \in \Sigma(\Delta)$ , assume that:*

- $\lfloor sitpn \rfloor_H = (d, \gamma)$  and  $\gamma \vdash E_p \stackrel{env}{=} E_c$  and  $\mathcal{D}_H, \emptyset \vdash d \xrightarrow{elab} \Delta, \sigma_e$
- $\gamma, E_c, \tau \vdash s \approx^\uparrow \sigma$
- $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$
- $\text{Inject}_\downarrow(\sigma, E_p, \tau, \sigma_i)$  and  $\Delta, \sigma_i \vdash d.cs \xrightarrow{\downarrow} \sigma_\downarrow$  and  $\Delta, \sigma_\downarrow \vdash d.cs \rightsquigarrow \sigma'$
- State  $\sigma$  is a stable design state:  $\mathcal{D}_H, \Delta, \sigma \vdash d.cs \xrightarrow{comb} \sigma$

then  $\gamma \vdash s' \approx^\downarrow \sigma'$ .

*Proof.* By definition of the [Post falling edge state similarity](#) relation, there are 11 points to prove:

1.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, s'.M(p) = \sigma'(id_p)(\text{"s_marking"}).$
2.  $\forall t \in T_i, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(upper(I_s(t)) = \infty \wedge s'.I(t) \leq lower(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"}) )$   
 $\wedge (upper(I_s(t)) = \infty \wedge s'.I(t) > lower(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = lower(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) > upper(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = upper(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) \leq upper(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"})).$
3.  $\forall c \in C, id_c \in Ins(\Delta) \text{ s.t. } \gamma(c) = id_c, s'.cond(c) = \sigma'(id_c).$
4.  $\forall a \in A, id_a \in Outs(\Delta) \text{ s.t. } \gamma(a) = id_a, s'.ex(a) = \sigma'(id_a).$
5.  $\forall f \in F, id_f \in Outs(\Delta) \text{ s.t. } \gamma(f) = id_f, s'.ex(f) = \sigma'(id_f).$
6.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in Firable(s') \Leftrightarrow \sigma'(id_t)(\text{"s_firable"}) = \text{true}.$
7.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \notin Firable(s') \Leftrightarrow \sigma'(id_t)(\text{"s_firable"}) = \text{false}.$
8.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in Fired(s') \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}.$
9.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \notin Fired(s') \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{false}.$
10.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, \sum_{t \in Fired(s')} pre(p, t) = \sigma'(id_p)(\text{"s_output_token_sum"}).$
11.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, \sum_{t \in Fired(s')} post(t, p) = \sigma'(id_p)(\text{"s_input_token_sum"}).$

Each point is proved by a separate lemma:

- Apply Lemma **Falling Edge Equal Marking** to solve 1.
- Apply Lemma **Falling Edge Equal Time Counters** to solve 2.
- Apply Lemma **Falling Edge Equal Condition Values** to solve 3.
- Apply Lemma **Falling Edge Equal Action Executions** to solve 4.
- Apply Lemma **Falling Edge Equal Function Executions** to solve 5.
- Apply Lemma **Falling Edge Equal Firable** to solve 6.
- Apply Lemma **Falling Edge Equal Not Firable** to solve 7.
- Apply Lemma **Falling Edge Equal Fired** to solve 8.
- Apply Lemma **Falling Edge Equal Not Fired** to solve 9.
- Apply Lemma **Falling Edge Equal Output Token Sum** to solve 10.
- Apply Lemma **Falling Edge Equal Input Token Sum** to solve 11.

□

## 1.4 A detailed proof: equivalence of fired transitions

**Definition 9** (Falling Edge Hypotheses). Given an  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $\Delta \in ElDesign(d, \mathcal{D}_H)$ ,  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ ,  $\tau \in \mathbb{N}$ ,  $s, s' \in S(sitpn)$ ,  $\sigma_e, \sigma, \sigma_i, \sigma_\downarrow, \sigma' \in \Sigma(\Delta)$ , assume that:

- $\lfloor sitpn \rfloor_H = (d, \gamma)$  and  $\gamma \vdash E_p \stackrel{env}{=} E_c$  and  $\mathcal{D}_H, \emptyset \vdash d \xrightarrow{elab} \Delta, \sigma_e$
- $\gamma, E_c, \tau \vdash s \overset{\uparrow}{\sim} \sigma$
- $E_c, \tau \vdash s \overset{\downarrow}{\rightarrow} s'$
- $\text{Inject}_\downarrow(\sigma, E_p, \tau, \sigma_i)$  and  $\Delta, \sigma_i \vdash d.cs \overset{\downarrow}{\rightarrow} \sigma_\downarrow$  and  $\Delta, \sigma_\downarrow \vdash d.cs \rightsquigarrow \sigma'$
- State  $\sigma$  is a stable design state:  $\mathcal{D}_H, \Delta, \sigma \vdash d.cs \xrightarrow{comb} \sigma$

**Lemma 4** (Falling Edge Equal Fired). For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t, t \in Fired(s') \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}$ .

*Proof.* Given a  $t \in T$  and an  $id_t$  s.t.  $\gamma(t) = id_t$ , let us show  $t \in Fired(s') \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}$ . The proof is in two parts:

1. Assuming that  $t \in Fired(s')$ , let us show  $\sigma'(id_t)(\text{"fired"}) = \text{true}$ .

By definition of  $t \in Fired(s')$ , there exists  $fset \subseteq T$  s.t.  $IsFiredSet(s', fset) \wedge t \in fset$ .

Let us take such an  $fset$ , and apply Lemma **Falling Edge Equal Fired Set** to solve the goal.

2. Assuming that  $\sigma'(id_t)(\text{"fired"}) = \text{true}$ , let us show  $t \in Fired(s')$ .

By definition of  $t \in Fired(s')$ , let us show that  $\exists fset \subseteq T$  s.t.  $IsFiredSet(s', fset) \wedge t \in fset$

Assuming that sitpn is a well-defined SITPN (see Section ), we can always find an  $fset \subseteq T$  such that  $\forall s \in S(sitpn), IsFiredSet(s, fset)$  is derivable. Let us take an  $fset \subseteq T$  s.t.  $IsFiredSet(s', fset)$ , and use it to prove the goal by applying Lemma **Falling Edge Equal Fired Set**.

□

**Lemma 5** (Falling Edge Equal Not Fired). For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall t, id_t$  s.t.  $\gamma(t) = id_t, t \notin Fired(s') \Leftrightarrow \sigma'_t(\text{"fired"}) = \text{false}$ .

*Proof.* Proving the above lemma is trivial by appealing to Lemma **Falling Edge Equal Fired** and by reasoning on contrapositives. □

**Lemma 6** (Falling Edge Equal Fired Set). For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t, \forall fset \subseteq T, s.t. IsFiredSet(s', fset), t \in fset \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}$ .

*Proof.* Given a  $t \in T$ , and  $id_t \in Comps(\Delta)$ , and a  $fset \subseteq T$  s.t.  $IsFiredSet(s', fset)$ , let us show  $t \in fset \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}$ .

By definition of  $IsFiredSet(s', fset)$ , we have  $IsFiredSetAux(s', \emptyset, T, fset)$ .

Then, we can appeal to Lemma **Falling Edge Equal Fired Set Aux** to solve the goal, but first we must prove the following *extra hypothesis* (i.e, one of the premise of Lemma **Falling Edge Equal Fired Set Aux**):

$$\forall t' \in T, id_{t'} \in Comps(\Delta) \text{ s.t. } \gamma(t') = id_{t'}, \\ (t' \in \emptyset \Rightarrow \sigma'(id_{t'})(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"fired"}) = \text{true} \Rightarrow t' \in \emptyset \vee t' \in T).$$

Given a  $t' \in T$  and an  $id_{t'} \in Comps(\Delta)$  s.t.  $\gamma(t') = id_{t'}$ , there are two points to prove:

1.  $t' \in \emptyset \Rightarrow \sigma'(id_{t'})(\text{"fired"}) = \text{true}$
2.  $\sigma'(id_{t'})(\text{"fired"}) = \text{true} \Rightarrow t' \in \emptyset \vee t' \in T$

Let us show these two points:

1. Assuming  $t' \in \emptyset$ , let us show  $\sigma'(id_{t'})(\text{"fired"}) = \text{true}$ .  
 $t' \in \emptyset$  is a contradiction.
2. Assuming  $\sigma'(id_{t'})(\text{"fired"}) = \text{true}$ , let us show  $t' \in \emptyset \vee t' \in T$ .  
By definition,  $t' \in T$ .

□

**Lemma 7** (Falling Edge Equal Fired Set Aux). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t, \forall fired \subseteq T, T_s \subseteq T, fset \subseteq T$ , assume that:*

- $IsFiredSetAux(s', fired, T_s, fset)$
- *EH (Extra. Hypothesis):*  
 $\forall t' \in T, id_{t'} \in Comps(\Delta) \text{ s.t. } \gamma(t') = id_{t'},$   
 $(t' \in fired \Rightarrow \sigma'(id_{t'})(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"fired"}) = \text{true} \Rightarrow t' \in fired \vee t' \in T_s).$

then  $t \in fset \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}$ .

*Proof.* Given a  $t \in T$ , an  $id_t \in Comps(\Delta)$ , a  $fired, T_s, fset \subseteq T$ , and assuming

$IsFiredSetAux(s', fired, T_s, fset)$  and EH, let us show  $t \in fset \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}$ .

Let us reason by induction on  $IsFiredSetAux(s', fired, T_s, fset)$ .

- **BASE CASE:**  $t \in fired \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}$ .

In that case,  $fired = fset$  and  $T_s = \emptyset$ , EH looks like this:

$$\forall t' \in T, id_{t'} \in Comps(\Delta) \text{ s.t. } \gamma(t') = id_{t'}, \\ (t' \in fired \Rightarrow \sigma'(id_{t'})(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"fired"}) = \text{true} \Rightarrow t' \in fired \vee t' \in \emptyset).$$

From EH, we can deduce  $t \in fired \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}$ .

- **INDUCTION CASE:**  $t \in fset \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}.$

In that case, we have:

- $\text{IsTopPrioritySet}(T_s, tp)$
- $\text{ElectFired}(s', fired, tp, fired')$
- $\text{FiredAux}(s', fired', T_s \setminus tp, fset)$

$$\begin{aligned} & (\forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'}, \\ & (t' \in fired' \Rightarrow \sigma'(id_{t'})(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"fired"}) = \text{true} \Rightarrow t' \in fired' \vee t' \in \\ & T_s \setminus tp)) \Rightarrow \\ & t \in fset \Leftrightarrow \sigma'_t(\text{"fired"}) = \text{true}. \end{aligned}$$

Applying the induction hypothesis, then, the new goal is:

$$\begin{aligned} & \forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'}, \\ & (t' \in fired' \Rightarrow \sigma'(id_{t'})(\text{"fired"}) = \text{true}) \\ & \wedge (\sigma'(id_{t'})(\text{"fired"}) = \text{true} \Rightarrow t' \in fired' \vee t' \in T_s \setminus tp) \end{aligned}$$

Apply Lemma **ELECT FIRED EQUAL FIRED** to solve the goal.

□

**Lemma 8** (Elect Fired Equal Fired). *For all  $s, t, p, n, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall fired, fired', T_s, tp, fset \subseteq T$ , assume that:*

- $\text{IsTopPrioritySet}(T_s, tp)$
- $\text{ElectFired}(s', fired, tp, fired')$
- $\text{FiredAux}(s', fired', T_s \setminus tp, fset)$
- **EH (Extra. Hypothesis):**  
 $\forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'},$   
 $(t' \in fired \Rightarrow \sigma'(id_{t'})(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"fired"}) = \text{true} \Rightarrow t' \in fired \vee t' \in T_s)$

then  $\forall t \in T, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(t \in fired' \Rightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_t)(\text{"fired"}) = \text{true} \Rightarrow t \in fired' \vee t \in T_s \setminus tp).$

*Proof.* Given a  $t \in T$  and an  $id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show

$$(t \in fired' \Rightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_t)(\text{"fired"}) = \text{true} \Rightarrow t \in fired' \vee t \in T_s \setminus tp).$$

Let us reason by induction on  $\text{ElectFired}(s', fired, tp, fired')$ ; there are three cases:

1. **BASE CASE:**  $tp = \emptyset$  and  $fired = fired'$ .
2. **INDUCTIVE CASE:**  $tp = \{t_0\} \cup tp_0$  and  $t_0$  is elected to be fired.
3. **INDUCTIVE CASE:**  $tp = \{t_0\} \cup tp_0$  and  $t_0$  is not elected to be fired.

Let us prove the goal in these three contexts:

1. **BASE CASE:**

$$(t \in \text{fired} \Rightarrow \sigma'(\text{id}_t)(\text{"fired"}) = \text{true}) \wedge (\sigma'(\text{id}_t)(\text{"fired"}) = \text{true} \Rightarrow t \in \text{fired} \vee t \in T_s).$$

Apply EH to solve the goal.

2. **INDUCTIVE CASE:**  $tp = \{t_0\} \cup tp_0$  and  $t_0$  is elected to be fired.

In that case, we have:

- $\text{IsTopPrioritySet}(T_s, \{t_0\} \cup tp_0)$
- $\text{ElectFired}(s', \text{fired} \cup \{t_0\}, tp_0, \text{fired}')$
- $\text{IsFiredSetAux}(s', \text{fired}', T_s \setminus \{t_0\} \cup tp_0, fset)$
- $t_0 \in \text{Firable}(s')$
- $t_0 \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(t_i))$  where  $\text{Pr}(t, \text{fired}) = \{t' \mid t' \succ t \wedge t' \in \text{fired}\}$
- EH:  $\forall t' \in T, id_{t'} \in \text{Comps}(\Delta)$  s.t.  $\gamma(t') = id_{t'}$ ,  
 $(t' \in \text{fired} \Rightarrow \sigma'(id_{t'})(\text{"f"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"f"}) = \text{true} \Rightarrow t' \in \text{fired} \vee t' \in T_s)$

$$\begin{aligned} & \forall T'_s \subseteq T, \\ & \text{IsTopPrioritySet}(T'_s, tp_0) \Rightarrow \\ & \text{IsFiredSetAux}(s', \text{fired}', T'_s \setminus tp_0, fset) \Rightarrow \\ & (\forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'}, \\ & (t' \in \text{fired} \cup \{t_0\} \Rightarrow \sigma'_{t'}(\text{"f"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"f"}) = \text{true} \Rightarrow t' \in \text{fired} \cup \{t_0\} \vee t' \in T'_s)) \Rightarrow \\ & \forall t \in T, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t, \\ & (t \in \text{fired}' \Rightarrow \sigma'(id_t)(\text{"f"}) = \text{true}) \wedge (\sigma'(id_t)(\text{"f"}) = \text{true} \Rightarrow t \in \text{fired}' \vee t \in T'_s \setminus tp_0) \end{aligned}$$

$$\forall t \in T, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t, \\ (t \in \text{fired}' \Rightarrow \sigma'_t(\text{"f"}) = \text{true}) \wedge (\sigma'_t(\text{"f"}) = \text{true} \Rightarrow t \in \text{fired}' \vee t \in T_s \setminus \{t_0\} \cup tp_0)$$

To solve the goal, we can apply the induction hypothesis with  $T'_s = T_s \setminus \{t_0\}$ ; then, there are three points to prove:

- (a)  $\boxed{\text{IsTopPrioritySet}(T_s \setminus \{t_0\}, tp_0)}$
- (b)  $\boxed{\text{IsFiredSetAux}(s', \text{fired}', (T_s \setminus \{t_0\}) \setminus tp_0, fset)}$
- (c)  $\forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'},$   
 $(t' \in \text{fired} \cup \{t_0\} \Rightarrow \sigma'_{t'}(\text{"f"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"f"}) = \text{true} \Rightarrow t' \in \text{fired} \cup \{t_0\} \vee t' \in T_s \setminus \{t_0\})$

Let us prove these three points:

$$(a) \boxed{\text{IsTopPrioritySet}(T_s \setminus \{t_0\}, tp_0)}$$

Not provable yet.

- (b)  $\boxed{\text{IsFiredSetAux}(s', \text{fired}', (T_s \setminus \{t_0\}) \setminus \text{tp}_0, \text{fset})}.$

We know that  $(T_s \setminus \{t_0\}) \setminus \text{tp}_0 = T_s \setminus (\{t_0\} \cup \text{tp}_0)$ , and thus

$\text{IsFiredSetAux}(s', \text{fired}', T_s \setminus (\{t_0\} \cup \text{tp}_0), \text{fset})$  is an assumption.

- (c)  $\boxed{\forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'},}$   
 $\boxed{(t' \in \text{fired} \cup \{t_0\} \Rightarrow \sigma'(id_{t'})(\text{"f"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"f"}) = \text{true} \Rightarrow t' \in \text{fired} \cup \{t_0\} \vee t' \in T_s \setminus \{t_0\})}$

Given a  $t' \in T$  and an  $id_{t'} \in \text{Comps}(\Delta)$  s.t.  $\gamma(t') = id_{t'}$ , let us show

$$\boxed{(t' \in \text{fired} \cup \{t_0\} \Rightarrow \sigma'(id_{t'})(\text{"f"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"f"}) = \text{true} \Rightarrow t' \in \text{fired} \cup \{t_0\} \vee t' \in T_s \setminus \{t_0\})}.$$

The proof is in two parts.

- i. Assuming that  $t' \in \text{fired} \cup \{t_0\}$ , let us show  $\boxed{\sigma'(id_{t'})(\text{"f"}) = \text{true}}.$

Case analysis on  $t' \in \text{fired} \cup \{t_0\}$ ; there are two cases:

- $t' \in \text{fired}$
- $t' = t_0$

Let us prove the goal in these two contexts.

- **CASE  $t' \in \text{fired}$ :** Thanks to EH, we can deduce  $\boxed{\sigma'_t(\text{"f"}) = \text{true}}.$

- **CASE  $t' = t_0$ :**

By definition of  $id_{t'}$ , there exist a  $gm_{t'}$ ,  $ipm_{t'}$ ,  $opm_{t'}$  s.t.  $\text{comp}(id_{t'}, \text{"transition"}, gm_{t'}, ipm_{t'}, opm_{t'}) \in d.cs$ .

By property of the stabilize relation and  $\text{comp}(id_{t'}, \text{"transition"}, gm_{t'}, ipm_{t'}, opm_{t'}) \in d.cs$ :

$$\sigma(id_{t'})(\text{"f"}) = \sigma(id_{t'})(\text{"sfa"}) \cdot \sigma(id_{t'})(\text{"spc"}) \quad (1.2)$$

Rewriting the goal with (1.2):  $\boxed{\sigma(id_{t'})(\text{"sfa"}) \cdot \sigma(id_{t'})(\text{"spc"}) = \text{true}}.$

Then, we can show that:

–  $\sigma(id_{t'})(\text{"sfa"}) = \text{true}$  by applying Lemma **Falling Edge Equal Firable**

–  $\sigma(id_{t'})(\text{"spc"}) = \text{true}$  by applying Lemma **Stabilize Compute Priority Combination After Falling Edge**.

- ii. Assuming that  $\sigma'(id_{t'})(\text{"f"}) = \text{true}$ , let us show  $\boxed{t' \in \text{fired} \cup \{t_0\} \vee t' \in T_s \setminus \{t_0\}}.$

From  $\sigma'(id_{t'})(\text{"f"}) = \text{true}$  and EH, we can deduce that  $t' \in \text{fired} \vee t' \in T_s$ .

Case analysis on  $t' \in \text{fired} \vee t' \in T_s$ .

- **CASE  $t' \in \text{fired}$ :** then, it is trivial to show  $\boxed{t' \in \text{fired} \cup \{t_0\}}.$

- **CASE  $t' \in T_s$ :** We know that  $t_0 \in T_s$ . Therefore, either  $\boxed{t' \in T_s \setminus \{t_0\}}$ , or  $t' = t_0$ , and then,  $\boxed{t' \in \text{fired} \cup \{t_0\}}.$

### 3. INDUCTIVE CASE: $tp = \{t_0\} \cup \text{tp}_0$ and $t_0$ is not elected to be fired.

- $\text{IsTopPrioritySet}(T_s, \{t_0\} \cup \text{tp}_0)$
- $\text{ElectFired}(s', \text{fired}, \text{tp}_0, \text{fired}')$

- $\text{IsFiredSetAux}(s', \text{fired}', T_s \setminus \{t_0\} \cup tp_0, fset)$
- $\neg(t_0 \in \text{Firable}(s') \wedge t_0 \in \text{Sens}(s'.M - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(t_i)))$
- EH:  
 $\forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'},$   
 $(t' \in \text{fired} \Rightarrow \sigma'(id_{t'})(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in \text{fired} \vee t' \in T_s)$

$\forall T'_s \subseteq T,$   
 $\text{IsTopPrioritySet}(T'_s, tp_0) \Rightarrow$   
 $\text{IsFiredSetAux}(s', \text{fired}', T'_s \setminus tp_0, fset) \Rightarrow$   
 $(\forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'},$   
 $(t' \in \text{fired} \Rightarrow \sigma'(id_{t'})(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in \text{fired} \vee t' \in T'_s)) \Rightarrow$   
 $\forall t \in T, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(t \in \text{fired}' \Rightarrow \sigma'(id_t)(f'') = \text{true}) \wedge (\sigma'(id_t)(f'') = \text{true} \Rightarrow t \in \text{fired}' \vee t \in T'_s \setminus tp_0)$

$\forall t \in T, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(t \in \text{fired}' \Rightarrow \sigma'(id_t)(f'') = \text{true}) \wedge (\sigma'(id_t)(f'') = \text{true} \Rightarrow t \in \text{fired}' \vee t \in T_s \setminus \{t_0\} \cup tp_0).$

Then, we can apply the induction hypothesis with  $T'_s = T_s \setminus \{t_0\}$ , then, there are three points to prove:

- $\boxed{\text{IsTopPrioritySet}(T_s \setminus \{t_0\}, tp_0)}$
- $\boxed{\text{IsFiredSetAux}(s', \text{fired}', (T_s \setminus \{t_0\}) \setminus tp_0, fset)}$
- $\boxed{\forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'},$   
 $(t' \in \text{fired} \Rightarrow \sigma'(id_{t'})(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in \text{fired} \vee t' \in T_s \setminus \{t_0\})}$

Let us prove these three points:

- $\boxed{\text{IsTopPrioritySet}(T_s \setminus \{t_0\}, tp_0)}$

Not provable yet.

- $\boxed{\text{IsFiredSetAux}(s', \text{fired}', (T_s \setminus \{t_0\}) \setminus tp_0, fset)}$

We know that  $(T_s \setminus \{t_0\}) \setminus tp_0 = T_s \setminus (\{t_0\} \cup tp_0)$ , and thus

$\text{IsFiredSetAux}(s', \text{fired}', T_s \setminus (\{t_0\} \cup tp_0), fset)$  is an assumption.

- $\boxed{\forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'},$   
 $(t' \in \text{fired} \Rightarrow \sigma'(id_{t'})(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in \text{fired} \vee t' \in T_s \setminus \{t_0\})}$

Given a  $t' \in T$  and an  $id_{t'} \in \text{Comps}(\Delta)$  s.t.  $\gamma(t') = id_{t'}$ , let us show

$(t' \in \text{fired} \Rightarrow \sigma'(id_{t'})(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in \text{fired} \vee t' \in T_s \setminus \{t_0\})$

The proof is in two parts:

- i. Assuming that  $t' \in \text{fired}$ , let us show  $\sigma'(id_{t'})(\text{"f"}) = \text{true}$ .

From  $t' \in \text{fired}$  and EH,  $\sigma'(id_{t'})(\text{"f"}) = \text{true}$ .

- ii. Assuming that  $\sigma'(id_{t'})(\text{"f"}) = \text{true}$ , let us show  $t' \in \text{fired} \vee t' \in T_s \setminus \{t_0\}$ .

Thanks to  $\sigma'(id_{t'})(\text{"f"}) = \text{true}$  and EH, we know that:  $t' \in \text{fired} \vee t' \in T_s$ .

Case analysis on  $t' \in \text{fired} \vee t' \in T_s$ ; there are two cases:

- CASE  $t' \in \text{fired}$ .

- CASE  $t' \in T_s$ :

From  $\text{IsTopPrioritySet}(T_s, \{t_0\} \cup tp_0)$ , we can deduce that  $t_0 \in T_s$ . Therefore, either  $t' \in T_s \setminus \{t_0\}$  or  $t' = t_0$ .

In the case where  $t' = t_0$ , we need to show a contradiction by proving

$t' \in \text{Firable}(s')$  and  $t' \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(t_i))$  based on  $\sigma'(id_{t'})(\text{"f"}) = \text{true}$ .

By definition of  $id_{t'}$ , there exist a  $gm_{t'}, ipm_{t'}, opm_{t'}$  s.t.  $\text{comp}(id_{t'}, \text{"transition"}, gm_{t'}, ipm_{t'}, opm_{t'}) \in d.cs$ .

By property of the stabilize relation and  $\text{comp}(id_{t'}, \text{"transition"}, gm_{t'}, ipm_{t'}, opm_{t'}) \in d.cs$ :

$$\sigma(id_{t'})(\text{"f"}) = \sigma(id_{t'})(\text{"sfa"}) . \sigma(id_{t'})(\text{"spc"}) = \text{true} \quad (1.3)$$

From  $\sigma(id_{t'})(\text{"sfa"}) = \text{true}$ , and appealing to Lemma Falling Edge Equal Firable, we can deduce  $t' \in \text{Firable}(s')$ .

From  $\sigma(id_{t'})(\text{"spc"}) = \text{true}$ , and appealing to Lemma Stabilize Compute Priority Combination After Falling Edge, we can deduce  $t' \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(t_i))$ .

Then, as  $t' = t_0, \neg(t_0 \in \text{Firable}(s') \wedge t_0 \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(t_i)))$  is a contradiction.

□

**Lemma 9** (Stabilize Compute Priority Combination After Falling Edge). *For all  $s, tp, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall t \in T, id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ ,  $\forall \text{fired}, \text{fired}', T_s, tp, fset \subseteq T$  assume that:*

- $\text{IsTopPrioritySet}(T_s, \{t\} \cup tp)$
- $\text{ElectFired}(s', \text{fired}, tp, \text{fired}')$
- $\text{FiredAux}(s', \text{fired}', T_s \setminus \{t\} \cup tp, fset)$
- EH:  $\forall t' \in T, id_{t'} \in \text{Comps}(\Delta)$  s.t.  $\gamma(t') = id_{t'}$ ,  
 $(t' \in \text{fired} \Rightarrow \sigma'(id_{t'})(\text{"f"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"f"}) = \text{true} \Rightarrow t' \in \text{fired} \vee t' \in T_s)$ .
- $t \in \text{Firable}(s')$

then  $t \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(t_i)) \Leftrightarrow \sigma'(id_t)(\text{"spc"}) = \text{true}$

*Proof.* Given a  $t \in T$  and an  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ , a *fired*, *fired'*,  $T_s$ ,  $tp$ ,  $fset \subseteq T$  and assuming all the above hypotheses, let us show

$$t \in Sens(s'.M - \sum_{t_i \in Pr(t, \text{fired})} pre(t_i)) \Leftrightarrow \sigma'(id_t)(\text{"spc"}) = \text{true.}$$

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ .  
By property of the stabilize relation and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ :

$$\sigma'(id_t)(\text{"spc"}) = \prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] \quad (1.4)$$

Rewriting the goal with (1.4):

$$t \in Sens(s'.M - \sum_{t_i \in Pr(t, \text{fired})} pre(t_i)) \Leftrightarrow \prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] = \text{true.}$$

Then, the proof is in two parts:

1.  $t \in Sens(s'.M - \sum_{t_i \in Pr(t, \text{fired})} pre(t_i)) \Rightarrow \prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] = \text{true}$
2.  $\prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] = \text{true} \Rightarrow t \in Sens(s'.M - \sum_{t_i \in Pr(t, \text{fired})} pre(t_i))$

Let us prove both sides of the equivalence:

1. Assuming that  $t \in Sens(s'.M - \sum_{t_i \in Pr(t, \text{fired})} pre(t_i))$ , let us show

$$\prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] = \text{true.}$$

Let us perform case analysis on  $input(t)$ ; there are 2 cases:

- **CASE**  $input(t) = \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow 1 \rangle \in gm_t$  and  $\langle \text{priority\_authorizations}(0) \Rightarrow \text{true} \rangle \in ipm_t$ .

By property of the elaboration relation, we have  $\Delta(id_t)(\text{"ian"}) = 1$ , and by property of the stabilize relation, we have  $\sigma'(id_t)(\text{"pauths"})[0] = \text{true}$ .

Rewriting the goal with  $\Delta(id_t)(\text{"ian"}) = 1$  and  $\sigma'(id_t)(\text{"pauths"})[0] = \text{true}$ , and simplifying the goal: **tautology**.

- **CASE**  $input(t) \neq \emptyset$ :

Then, let us show an equivalent goal:

$$\forall i \in [0, \Delta(id_t)(\text{"ian"}) - 1], \sigma'(id_t)(\text{"pauths"})[i] = \text{true.}$$

Given an  $i \in [0, \Delta(id_t)(\text{"ian"}) - 1]$ , let us show  $\sigma'(id_t)(\text{"pauths"})[i] = \text{true.}$

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow |input(t)| \rangle \in gm_t$ .

By property of the elaboration relation, we have  $\Delta(id_t)(\text{"ian"}) = |input(t)|$ . Then, we can deduce  $i \in [0, |input(t)| - 1]$ .

By construction, for all  $i \in [0, |input(t)| - 1]$ , there exist a  $p \in input(t)$  and an  $id_p \in Comps(\Delta)$  s.t.  $\gamma(p) = id_p$ , there exist a  $gm_p, ipm_p, opm_p$  s.t.  $comp(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , and there exist a  $j \in [0, |output(p)|]$  and an  $id_{ji} \in Sigs(\Delta)$  s.t.  $<\text{input\_arcs\_valid}(i) \Rightarrow id_{ji}> \in ipm_t$  and  $<\text{output\_arcs\_valid}(j) \Rightarrow id_{ji}> \in opm_t$ . Let us take such a  $p \in input(t)$ ,  $id_p \in Comps(\Delta)$ ,  $gm_p, ipm_p, opm_p, j \in [0, |output(p)|]$  and  $id_{ji} \in Sigs(\Delta)$ .

Now, let us perform case analysis on the nature of the arc connecting  $p$  and  $t$ ; there are 2 cases:

- **CASE**  $pre(p, t) = (\omega, \text{test})$  or  $pre(p, t) = (\omega, \text{inhib})$ :

By construction,  $<\text{priority\_authorizations}(i) \Rightarrow \text{true}> \in ipm_t$ , and by property of the stabilize relation:  $\sigma'(id_t)(\text{"pauths"})[i] = \text{true}$ .

- **CASE**  $pre(p, t) = (\omega, \text{basic})$ :

Let us define  $output_c(p) = \{t \in T \mid \exists \omega, pre(p, t) = (\omega, \text{basic})\}$ , the set of output transitions of  $p$  that are in conflict. Then, there are two cases, one for each way to solve the conflicts between the output transitions of  $p$ :

- \* **CASE** For all pair of transitions in  $output_c(p)$ , all conflicts are solved by mutual exclusion:

By construction,  $<\text{priority\_authorizations}(i) \Rightarrow \text{true}> \in ipm_t$ , and by property of the stabilize relation:  $\sigma'(id_t)(\text{"pauths"})[i] = \text{true}$ .

- \* **CASE** The priority relation is a strict total order over the set  $output_c(p)$ :

By construction, there exists an  $id'_{ji} \in Sigs(\Delta)$  s.t.

$<\text{priority\_authorizations}(i) \Rightarrow id'_{ji}> \in ipm_t$  and

$<\text{priority\_authorizations}(j) \Rightarrow id'_{ji}> \in opm_p$ .

By property of the stabilize relation,  $comp(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$  and  $comp(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma'(id_t)(\text{"pauths"})[i] = \sigma'(id'_{ji}) = \sigma'(id_p)(\text{"pauths"})[j] \quad (1.5)$$

Rewriting the goal with (1.5):  $\boxed{\sigma'(id_p)(\text{"pauths"})[j] = \text{true}}$ .

By property of the stabilize relation and  $comp(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma'(id_p)(\text{"pauths"})[j] = (\sigma'(id_p)(\text{"sm"}) \geq \text{rsum} + \sigma'(id_p)(\text{"oaw"})[j]) \quad (1.6)$$

Let us define the  $\text{rsum}$  term as follows:

$$\text{rsum} = \sum_{i=0}^{j-1} \begin{cases} \sigma'(id_p)(\text{"oaw"})[i] & \text{if } \sigma'(id_p)(\text{"otf"})[i]. \\ \sigma'(id_p)(\text{"oat"})[i] & \text{if } \sigma'(id_p)(\text{"oat"})[i] = \text{basic} \\ 0 & \text{otherwise} \end{cases} \quad (1.7)$$

Rewriting the goal with (1.6):  $\boxed{\sigma'(id_p)(\text{"sm"}) \geq \text{rsum} + \sigma'(id_p)(\text{"oaw"})[j]}$

By definition of  $t \in Sens(s'.M - \sum_{t_i \in Pr(t, \text{fired})} pre(t_i))$ , we have  $s'.M(p) \geq \sum_{t_i \in Pr(t, \text{fired})} pre(p, t_i) + \omega$ .

Then, there are three points to prove:

(a)  $\boxed{s'.M(p) = \sigma'(id_p)(\text{"sm"})}$

$$(b) \boxed{\omega = \sigma'(id_p)(\text{"oaw"})[j]}$$

$$(c) \boxed{\sum_{t_i \in Pr(t, \text{fired})} pre(p, t_i) = \text{rsum}}$$

Let us prove these three points:

$$(a) \boxed{s'.M(p) = \sigma'(id_p)(\text{"sm"})}$$

Appealing to Lemma **Falling Edge Equal Marking**:  $s'.M(p) = \sigma'(id_p)(\text{"sm"})$ .

$$(b) \boxed{\omega = \sigma'(id_p)(\text{"oaw"})[j]}$$

By construction, and as  $pre(p, t) = (\omega, \text{basic})$ , we have

$\langle \text{output\_arcs\_weights}(j) \Rightarrow \omega \rangle \in ipm_p$ .

By property of the stabilize relation and  $\text{comp}(id_p, \text{"place"}, gmp_p, ipm_p, opm_p) \in d.cs$ :

$$\boxed{\omega = \sigma'(id_p)(\text{"oaw"})[j].}$$

$$(c) \boxed{\sum_{t_i \in Pr(t, \text{fired})} pre(p, t_i) = \text{rsum}}$$

Let us replace the left and right term of the equality by their full definition:

$$\begin{aligned} & \sum_{t_i \in Pr(t, \text{fired})} \begin{cases} \omega & \text{if } pre(p, t_i) = (\omega, \text{basic}) \\ 0 & \text{otherwise} \end{cases} \\ &= \\ & \sum_{i=0}^{j-1} \begin{cases} \sigma'(id_p)(\text{"oaw"})[i] & \text{if } \sigma'(id_p)(\text{"otf"})[i]. \\ \sigma'(id_p)(\text{"oat"})[i] & = \text{basic} \\ 0 & \text{otherwise} \end{cases} \end{aligned}$$

$$\text{Let us define } f(t_i) = \begin{cases} \omega & \text{if } pre(p, t_i) = (\omega, \text{basic}) \\ 0 & \text{otherwise} \end{cases} \quad \text{and}$$

$$g(i) = \begin{cases} \sigma'(id_p)(\text{"oaw"})[i] & \text{if } \sigma'(id_p)(\text{"otf"})[i]. \\ \sigma'(id_p)(\text{"oat"})[i] & = \text{basic} \\ 0 & \text{otherwise} \end{cases}$$

Let us reason by induction on the right term of the goal.

**BASE CASE:** then, we have  $i > j - 1$ , and then  $j = 0$ .

$$\sum_{t_i \in Pr(t, \text{fired})} \begin{cases} \omega & \text{if } pre(p, t_i) = (\omega, \text{basic}) \\ 0 & \text{otherwise} \end{cases} = 0$$

We know that the priority relation is a strict total order over the transitions of set  $output_c(p)$ . This ordering is reflected in the ordering of the indexes of output port  $\text{priority\_authorizations}$  of place component instances. Thus, in the  $\text{priority\_authorizations}$  output port of a place component instance, the element of index 0 is connected to the transition of  $output_c(t)$  with the highest firing priority. We know that component  $id_t$  is connected to  $\text{priority\_authorizations}(0)$  in the output port

map of component  $id_p$ . By construction, transition  $t$  is the transition of  $output_c(p)$  with the highest firing priority, i.e.,  $\nexists t' \in output_c(p)$  s.t.  $t' \succ t$ .

The following part of the proof is the result of induction over term  $\sum_{t_i \in Pr(t, fired)} f(t_i)$ .

Induction is not detailed here.

For all transition  $t_i \in Pr(t, fired)$ , either  $t_i$  is not in  $output_c(p)$ , and thus  $t_i$  has no effect in the value of the sum term  $\sum_{t_i \in Pr(t, fired)} f(t_i)$ ; or,  $t_i \in output_c(p)$ . Then, by definition of  $t_i \in Pr(t, fired)$ ,  $t_i \succ t$ , which is contradiction with  $\nexists t' \in output_c(p)$  s.t.  $t' \succ t$ .

**INDUCTIVE CASE:** then,  $0 \leq j - 1$ , and thus  $j > 0$ .

$$\text{For all } Pr' \subseteq T, g(0) + \sum_{t_i \in Pr'} f(t_i) = g(0) + \sum_{i=1}^{j-1} g(i)$$

$$\sum_{t_i \in Pr(t, fired)} f(t_i) = g(0) + \sum_{i=1}^{j-1} g(i).$$

By definition of  $g(0)$ :

$$\sum_{t_i \in Pr(t, fired)} f(t_i) = \begin{cases} \sigma'(id_p)(“oaw”)[0] \text{ if } \sigma'(id_p)(“otf”)[0]. \\ \sigma'(id_p)(“oat”)[0] = \text{basic} \quad + \sum_{i=1}^{j-1} g(i). \\ 0 \text{ otherwise} \end{cases}$$

Case analysis on the value of  $\sigma'(id_p)(“otf”)[0] . \sigma'(id_p)(“oat”)[0] = \text{basic}$ :

In the case where  $(\sigma'(id_p)(“otf”)[0] . \sigma'(id_p)(“oat”)[0] = \text{basic}) = \text{false}$ , then  $g(0) = 0$ , and we can use the induction hypothesis with  $Pr' = Pr(t, fired)$  to prove the goal.

In the case where  $(\sigma'(id_p)(“otf”)[0] . \sigma'(id_p)(“oat”)[0] = \text{basic}) = \text{true}$ , then  $g(0) = \sigma'(id_p)(“oaw”)[0]$ :

$$\sum_{t_i \in Pr(t, fired)} f(t_i) = \sigma'(id_p)(“oaw”)[0] + \sum_{i=1}^{j-1} g(i).$$

By construction, and knowing that  $j > 0$  and that the priority relation is a strict total order over the set  $output_c(p)$ , there exist a  $t_0 \in output_c(p)$  s.t.  $t_0 \succ t$ . Moreover, there exist an  $id_{t_0} \in Comps(\Delta)$  s.t.  $\gamma(t_0) = id_{t_0}$ , and by definition of  $id_{t_0}$ , there exist  $gm_{t_0}$ ,  $ipm_{t_0}$  and  $opm_{t_0}$  s.t.  $\text{comp}(id_{t_0}, “transition”, gm_{t_0}, ipm_{t_0}, opm_{t_0}) \in d.cs$ . Finally, there exist an  $id_{ft_0} \in Sigs(\Delta)$  s.t.  $\langle \text{fired} \Rightarrow id_{ft_0} \rangle \in opm_{t_0}$  and  $\langle \text{output\_transitions\_fired}(0) \Rightarrow id_{ft_0} \rangle \in ipm_p$ .

By property of the stabilize relation,  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$  and  $\text{comp}(id_{t_0}, "transition", gm_{t_0}, ipm_{t_0}, opm_{t_0}) \in d.cs$ :

$$\sigma'(id_{t_0})(f') = \sigma'(id_{ft_0}) = \sigma'(id_p)(otf')[0] = \text{true} \quad (1.8)$$

From EH and  $\sigma'(id_{t_0})(f') = \text{true}$ , we have either  $t_0 \in \text{fired}$  or  $t_0 \in T_s$ .

□ In the case where  $t_0 \in \text{fired}$ , then, by definition of  $\sum$ :

$$f(t_0) + \sum_{t_i \in Pr(t, \text{fired}) \setminus \{t_0\}} f(t_i) = \sigma'(id_p)(oaw')[0] + \sum_{i=1}^{j-1} g(i).$$

By definition of  $t_0 \in \text{output}_c(p)$ , there exists  $\omega \in \mathbb{N}^*$  s.t.  $\text{pre}(p, t_0) = (\omega, \text{basic})$ . Thus, we have  $f(t_0) = \omega$

By construction,  $\langle \text{output\_arcs\_weights}(0) \Rightarrow \omega \rangle$ , and by property of the stabilize relation, we have  $\sigma'(id_p)(oaw')[0] = \omega$ . Thus, we can deduce that  $g(0) = \omega$ , and then we can rewrite the goal in order to apply the induction hypothesis with  $Pr' = Pr(t, \text{fired}) \setminus \{t_0\}$ .

□ In the case where  $t_0 \in T_s$ :

As  $t$  is a top-priority transition in set  $T_s$ , there exists no transition  $t' \in T_s$  s.t.  $t' \succ t$ . Contradicts  $t_0 \succ t$ .

2. Assuming that  $\prod_{i=0}^{\Delta(id_t)(ian)-1} \sigma'(id_t)(pauths)[i] = \text{true}$ , let us show

$$t \in \text{Sens}(s'.M - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(t_i)).$$

By definition of  $t \in \text{Sens}(s'.M - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(t_i))$ :

$$\begin{aligned} & \forall p \in P, \omega \in \mathbb{N}^*, \\ & ((\text{pre}(p, t) = (\omega, \text{basic}) \vee \text{pre}(p, t) = (\omega, \text{test})) \Rightarrow s'.M(p) - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(p, t_i) \geq \omega) \\ & \wedge (\text{pre}(p, t) = (\omega, \text{inhib}) \Rightarrow s'.M(p) - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(p, t_i) < \omega) \end{aligned}$$

Given a  $p \in P$  and an  $\omega \in \mathbb{N}^*$ , let us show

$$\begin{aligned} & ((\text{pre}(p, t) = (\omega, \text{basic}) \vee \text{pre}(p, t) = (\omega, \text{test})) \Rightarrow s'.M(p) - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(p, t_i) \geq \omega) \\ & \wedge (\text{pre}(p, t) = (\omega, \text{inhib}) \Rightarrow s'.M(p) - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(p, t_i) < \omega) \end{aligned}$$

By construction, there exists an  $id_p \in \text{Comps}(\Delta)$  s.t.  $\gamma(p) = id_p$ . By definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ .

There are three different cases:

(a) Assuming that  $\text{pre}(p, t) = (\omega, \text{test})$ , let us show  $s'.M(p) - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(p, t_i) \geq \omega$ .

Then, assuming that the priority relation is well-defined, there exists no transition  $t_i$  connected by a basic arc to  $p$  that verified  $t_i \succ t$ . This is because  $t$  is connected to  $p$  by a test arc; thus,  $t$  is not in conflict with the other output transitions of  $p$ ; thus, there is no relation of priority between  $t$  and the output of  $p$ .

Then, we can deduce that  $\sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(p, t_i) = 0$ .

Then, the new goal is  $s'.M(p) \geq \omega$ .

Knowing that  $t \in \text{Firable}(s')$ , thus,  $t \in \text{Sens}(s'.M)$ , thus, we have  $s'.M(p) \geq \omega$ .

(b) Assuming that  $\text{pre}(p, t) = (\omega, \text{inhib})$ , let us show  $s'.M(p) - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(p, t_i) < \omega$ .

Use the same strategy as above.

(c) Assuming that  $\text{pre}(p, t) = (\omega, \text{basic})$ , let us show  $s'.M(p) - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(p, t_i) \geq \omega$ .

Then, there are two cases:

- CASE** For all pair of transitions in  $\text{output}_c(p)$ , all conflicts are solved by mutual exclusion.

Then, assuming that the priority relation is well-defined, it must not be defined over the set  $\text{output}_c(t)$ , and we know that  $t \in \text{output}_c(p)$  since  $\text{pre}(p, t) = (\omega, \text{basic})$ .

Then, there exists no transition  $t_i$  connected to  $p$  by a basic arc that verifies  $t_i \succ t$ .

Then, we can deduce  $\sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(p, t_i) = 0$ .

Then, the new goal is  $s'.M(p) \geq \omega$ .

We know  $t \in \text{Firable}(s')$ , thus,  $t \in \text{Sens}(s'.M)$ , thus,  $s'.M(p) \geq \omega$ .

- CASE** The priority relation is a strict total order over the set  $\text{output}_c(p)$ .

By construction, there exists  $\text{id}_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = \text{id}_t$ . By definition of  $\text{id}_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(\text{id}_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ .

By construction, there exist  $j \in [0, |\text{input}(t)| - 1]$ ,  $k \in [0, |\text{output}(t)| - 1]$ , and  $\text{id}_{kj} \in \text{Sigs}(\Delta)$  s.t.  $\langle \text{priority\_authorizations}(j) \Rightarrow \text{id}_{kj} \rangle \in ipm_t$  and  $\langle \text{priority\_authorizations}(k) \Rightarrow \text{id}_{kj} \rangle \in opm_p$ . Let us take such an  $j, k$  and  $\text{id}_{kj}$ .

From  $\prod_{i=0}^{\Delta(\text{id}_t)(\text{"ian"})-1} \sigma'(\text{id}_t)(\text{"pauths"})[i] = \text{true}$ , we can deduce that for all  $i \in [0, \Delta(\text{id}_t)(\text{"ian"}) - 1]$ ,  $\sigma'(\text{id}_t)(\text{"pauths"})[i] = \text{true}$ .

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow |\text{input}(t)| \rangle \in gm_t$ , and by property of the elaboration relation, we have  $\Delta(\text{id}_t)(\text{"ian"}) = |\text{input}(t)|$ . Then, from  $j \in [0, |\text{input}(t)| - 1]$ , we can deduce  $j \in [0, \Delta(\text{id}_t)(\text{"ian"}) - 1]$ . And, from  $\forall i \in [0, \Delta(\text{id}_t)(\text{"ian"}) - 1], \sigma'(\text{id}_t)(\text{"pauths"})[i] = \text{true}$ , we can deduce  $\sigma'(\text{id}_t)(\text{"pauths"})[j] = \text{true}$ .

By property of the stabilize relation,  $\text{comp}(\text{id}_p, "place", gm_p, ipm_p, opm_p) \in d.cs$  and  $\text{comp}(\text{id}_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ :

$$\sigma'(\text{id}_p)(\text{"pauths"})[k] = \sigma'(\text{id}_{kj})\sigma'(\text{id}_t)(\text{"pauths"})[j] = \text{true} \quad (1.9)$$

By property of the stabilize relation and  $\text{comp}(\text{id}_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma'(\text{id}_p)(\text{"pauths"})[k] = (\sigma'(\text{id}_p)(\text{"sm"}) \geq \text{rsum} + \sigma'(\text{id}_p)(\text{"oaw"})) [k] \quad (1.10)$$

Let us define the `rsum` term as follows:

$$\text{rsum} = \sum_{i=0}^{k-1} \begin{cases} \sigma'(\text{id}_p)(\text{"oaw"})[i] & \text{if } \sigma'(\text{id}_p)(\text{"otf"})[i]. \\ 0 & \text{otherwise} \end{cases} \quad \sigma'(\text{id}_p)(\text{"oat"})[i] = \text{basic} \quad (1.11)$$

From (1.9) and (1.10), we can deduce that  $\sigma'(\text{id}_p)(\text{"sm"}) \geq \text{rsum} + \sigma'(\text{id}_p)(\text{"oaw"})[k]$ . Then, there are three points to prove:

- A.  $s'.M(p) = \sigma'(\text{id}_p)(\text{"sm"})$
- B.  $\omega = \sigma'(\text{id}_p)(\text{"oaw"})[k]$
- C.  $\sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(p, t_i) = \text{rsum}$

See 1 for the remainder of the proof.

□



## Appendix A

# Reminder on natural semantics



## Appendix B

# Reminder on induction principles

- Present all the material that will be used in the proof, and that needs clarifying for people who do not come from the field (e.g, automaticians and electricians)
  - structural induction
  - induction on relations
  - ...



## Appendix C

# Semantic preservation proof

| Constants and signals reference |        |                      |                                            |
|---------------------------------|--------|----------------------|--------------------------------------------|
| Full name                       | Alias  | Category             | Type                                       |
| "input_conditions"              | "ic"   | input port (T)       | IB                                         |
| "reinit_time"                   | "rt"   | input port (T)       | IB                                         |
| "input_arcs_valid"              | "iav"  | input port (T)       | IB                                         |
| "fired"                         | "f"    | output port (T)      | IB                                         |
| "s_condition_combination"       | "scc"  | internal signal (T)  | IB                                         |
| "s_reinit_time_counter"         | "srtc" | internal signal (T)  | IB                                         |
| "s_priority_combination"        | "spc"  | internal signal (T)  | IB                                         |
| "s_fired"                       | "sf"   | internal signal (T)  | IB                                         |
| "s_firable"                     | "sfa"  | internal signal (T)  | IB                                         |
| "s_enabled"                     | "se"   | internal signal (T)  | IB                                         |
| "input_arcs_number"             | "ian"  | generic constant (T) | IN                                         |
| "transition_type"               | "tt"   | generic constant (T) | {NOT_TEMP, TEMP_A_B, TEMP_A_A, TEMP_A_INF} |
| "conditions_number"             | "cn"   | generic constant (T) | IN                                         |
| "maximal_time_counter"          | "mtc"  | generic constant (T) | IN                                         |
| "s_marking"                     | "sm"   | internal signal (P)  | IN                                         |
| "s_output_token_sum"            | "sots" | internal signal (P)  | IN                                         |
| "s_input_token_sum"             | "sits" | internal signal (P)  | IN                                         |
| "reinit_transition_time"        | "rtt"  | output port (P)      | IB                                         |
| "output_arcs_types"             | "oat"  | input port (P)       | {BASIC, TEST, INHIB}                       |
| "output_arcs_weights"           | "oaw"  | input port (P)       | IN                                         |
| "output_transition_fired"       | "otf"  | input port (P)       | IB                                         |
| "input_arcs_weights"            | "iaw"  | input port (P)       | IN                                         |
| "input_transition_fired"        | "itf"  | input port (P)       | IB                                         |

TABLE C.1: Constants and signals reference for the  $\mathcal{H}$ -VHDL transition and place designs

### C.1 Initial States

**Definition 10** (Initial State Hypotheses). Given an  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$ , assume that:

- $SITPN sitpn$  translates into design  $d$ :  $[sitpn]_{\mathcal{H}} = (d, \gamma)$

- $\Delta$  is the elaborated version of  $d$ ,  $\sigma_e$  is the default state of  $\Delta$ , i.e, state of  $\Delta$  where all signals have their default value:

$$\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{\text{elab}} (\Delta, \sigma_e)$$

- $\sigma_0$  is the initial state of  $\Delta$ :  $\Delta, \sigma_e \vdash d.cs \xrightarrow{\text{init}} \sigma_0$

**Lemma 10** (Similar Initial States). For all  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Def. 10, then  $\gamma \vdash s_0 \sim \sigma_0$ .

*Proof.* By definition of ??, 6 subgoals.

1.  $\forall p \in P, id_p \in Comps(\Delta), \sigma_p^0 \in \Sigma(\Delta(id_p))$  s.t.  $\gamma(p) = id_p$  and  $\sigma_0(id_p) = \sigma_p^0$ ,  $s_0.M(p) = \sigma_p^0("s\_marking")$ .
2.  $\forall t \in T_i, id_t \in Comps(\Delta), \sigma_t^0 \in \Sigma(\Delta(id_t))$  s.t.  $\gamma(t) = id_t$  and  $\sigma_0(id_t) = \sigma_t^0$ ,  
 $upper(I_s(t)) = \infty \wedge s_0.I(t) \leq lower(I_s(t)) \Rightarrow s_0.I(t) = \sigma_t^0("s\_tc") \wedge$   
 $upper(I_s(t)) = \infty \wedge s_0.I(t) > lower(I_s(t)) \Rightarrow \sigma_t^0("s\_tc") = lower(I_s(t)) \wedge$   
 $upper(I_s(t)) \neq \infty \wedge s_0.I(t) > upper(I_s(t)) \Rightarrow \sigma_t^0("s\_tc") = upper(I_s(t)) \wedge$   
 $upper(I_s(t)) \neq \infty \wedge s_0.I(t) \leq upper(I_s(t)) \Rightarrow s_0.I(t) = \sigma_t^0("s\_tc")$ .
3.  $\forall t \in T_i, id_t \in Comps(\Delta), \sigma_t^0 \in \Sigma(\Delta(id_t))$  s.t.  $\gamma(t) = id_t$  and  $\sigma_0(id_t) = \sigma_t^0$ ,  
 $s_0.reset_t(t) = \sigma_t^0("s\_reinit\_time\_counter")$ .
4.  $\forall c \in \mathcal{C}, id_c \in Ins(\Delta)$  s.t.  $\gamma(c) = id_c$ ,  $s_0.cond(c) = \sigma_0(id_c)$ .
5.  $\forall a \in \mathcal{A}, id_a \in Outs(\Delta)$  s.t.  $\gamma(a) = id_a$ ,  $s_0.ex(a) = \sigma_0(id_a)$ .
6.  $\forall f \in \mathcal{F}, id_f \in Outs(\Delta)$  s.t.  $\gamma(f) = id_f$ ,  $s_0.ex(f) = \sigma_0(id_f)$ .

- Apply Lemma **Initial States Equal Marking** to solve 1.
- Apply Lemma **Initial States Equal Time Counters** to solve 2.
- Apply Lemma **Initial States Equal Reset Orders** to solve 3.
- Apply Lemma **Initial States Equal Condition Values** to solve 4.
- Apply Lemma **Initial States Equal Action Executions** to solve 5.
- Apply Lemma **Initial States Equal Function Executions** to solve 6.

□

### C.1.1 Initial states and marking

**Lemma 11** (Initial States Equal Marking). For all  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Def. 10, then  $\forall p \in P, id_p \in Comps(\Delta), \sigma_p^0 \in \Sigma(\Delta(id_p))$  s.t.  $\gamma(p) = id_p$  and  $\sigma_0(id_p) = \sigma_p^0$ ,  $s_0.M(p) = \sigma_p^0("s\_marking")$ .

*Proof.* Given a  $p \in P$ , an  $id_p \in Comps(\Delta)$  and a  $\sigma_p^0 \in \Sigma(\Delta(id_p))$  s.t.  $\gamma(p) = id_p$  and  $\sigma_0(id_p) = \sigma_p^0$ , let's show that

$$s_0.M(p) = \sigma_p^0("s\_marking").$$

By definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ .

By property of the  $\mathcal{H}$ -VHDL initialization relation, the P design behavior (process "marking"), and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , then  $\sigma_p^0("s\_marking") = \sigma_p^0("initial\_marking")$ .

$$\text{Rewriting } \sigma_p^0("s\_marking") \text{ as } \sigma_p^0("initial\_marking"), \quad \sigma_p^0("initial\_marking") = s_0.M(p).$$

By construction,  $<id_p.initial\_marking \Rightarrow M_0(p)> \in ipm_p$ . By property of the  $\mathcal{H}$ -VHDL initialization relation, and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , then  $\sigma_p^0("initial\_marking") = M_0(p)$ .

$$\text{By definition of } s_0, \text{ rewriting } s_0.M(p) \text{ as } M_0(p), \quad \sigma_p^0("initial\_marking") = s_0.M(p).$$

□

### C.1.2 Initial states and time counters

**Lemma 12** (Initial States Equal Time Counters). *For all  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Def. 10, then  $\forall t \in T_i, id_t \in Comps(\Delta), \sigma_t^0 \in \Sigma(\Delta(id_t))$  s.t.  $\gamma(t) = id_t$  and  $\sigma_0(id_t) = \sigma_t^0$ ,*

- $upper(I_s(t)) = \infty \wedge s_0.I(t) \leq lower(I_s(t)) \Rightarrow s_0.I(t) = \sigma_t^0("s\_tc") \wedge$*
- $upper(I_s(t)) = \infty \wedge s_0.I(t) > lower(I_s(t)) \Rightarrow \sigma_t^0("s\_tc") = lower(I_s(t)) \wedge$*
- $upper(I_s(t)) \neq \infty \wedge s_0.I(t) > upper(I_s(t)) \Rightarrow \sigma_t^0("s\_tc") = upper(I_s(t)) \wedge$*
- $upper(I_s(t)) \neq \infty \wedge s_0.I(t) \leq upper(I_s(t)) \Rightarrow s_0.I(t) = \sigma_t^0("s\_tc")$ .*

*Proof.* Given a  $t \in T_i$ , an  $id_t \in Comps(\Delta)$  and a  $\sigma_t^0 \in \Sigma(\Delta(id_t))$  s.t.  $\gamma(t) = id_t$  and  $\sigma_0(id_t) = \sigma_t^0$ , let's show that:

1.  $upper(I_s(t)) = \infty \wedge s_0.I(t) \leq lower(I_s(t)) \Rightarrow s_0.I(t) = \sigma_t^0("s\_tc")$
2.  $upper(I_s(t)) = \infty \wedge s_0.I(t) > lower(I_s(t)) \Rightarrow \sigma_t^0("s\_tc") = lower(I_s(t))$
3.  $upper(I_s(t)) \neq \infty \wedge s_0.I(t) > upper(I_s(t)) \Rightarrow \sigma_t^0("s\_tc") = upper(I_s(t))$
4.  $upper(I_s(t)) \neq \infty \wedge s_0.I(t) \leq upper(I_s(t)) \Rightarrow s_0.I(t) = \sigma_t^0("s\_tc")$

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ .

Then, let's show the 4 previous subgoals.

1. Assume  $upper(I_s(t)) = \infty \wedge s_0.I(t) \leq lower(I_s(t))$ , then show  $s_0.I(t) = \sigma_t^0("s\_tc")$ .  
Rewriting  $s_0.I(t)$  as 0, by definition of  $s_0$ ,  $\sigma_t^0("s\_tc") = 0$ .

By property of the  $\mathcal{H}$ -VHDL initialization relation, the T design behavior (process "time\_counter"), and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , then  $\sigma_t^0("s\_tc") = 0$ .

2. Assume  $\text{upper}(I_s(t)) = \infty \wedge s_0.I(t) > \text{lower}(I_s(t))$ , then show  $\sigma_t^0("s\_tc") = \text{lower}(I_s(t))$ . By definition,  $\text{lower}(I_s(t)) \in \mathbb{N}^*$  and  $s_0.I(t) = 0$ . Then,  $\text{lower}(I_s(t)) < 0$  is a contradiction.
3. Assume  $\text{upper}(I_s(t)) \neq \infty \wedge s_0.I(t) > \text{upper}(I_s(t))$ , then show  $\sigma_t^0("s\_tc") = \text{upper}(I_s(t))$ . By definition,  $\text{upper}(I_s(t)) \in \mathbb{N}^*$  and  $s_0.I(t) = 0$ . Then,  $\text{upper}(I_s(t)) < 0$  is a contradiction.
4. Assume  $\text{upper}(I_s(t)) \neq \infty \wedge s_0.I(t) \leq \text{upper}(I_s(t))$ , then show  $s_0.I(t) = \sigma_t^0("s\_tc")$ .

Rewriting  $s_0.I(t)$  as 0, by definition of  $s_0$ ,  $\sigma_t^0("s\_tc") = 0$ .

By property of the  $\mathcal{H}$ -VHDL initialization relation, the T design behavior (process "time\_counter"), and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , then  $\sigma_t^0("s\_tc") = 0$ .

□

### C.1.3 Initial states and reset orders

**Lemma 13** (Initial States Equal Reset Orders). *For all  $\text{sitpn} \in \text{SITPN}$ ,  $d \in \text{design}$ ,  $\gamma \in \text{WM}(\text{sitpn}, d)$ ,  $\Delta \in \text{ElDesign}(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Def. 10, then  $\forall t \in T_i, id_t \in \text{Comps}(\Delta), \sigma_t^0 \in \Sigma(\Delta(id_t))$  s.t.  $\gamma(t) = id_t$  and  $\sigma_0(id_t) = \sigma_t^0$ ,  $s_0.\text{reset}_t(t) = \sigma_t^0("s\_reinit\_time\_counter")$ .*

*Proof.* Given a  $t \in T_i$ , an  $id_t \in \text{Comps}(\Delta)$  and a  $\sigma_t^0 \in \Sigma(\Delta(id_t))$  s.t.  $\gamma(t) = id_t$ , let's show that  $s_0.\text{reset}_t(t) = \sigma_t^0("s\_reinit\_time\_counter")$ .

Rewriting  $s_0.\text{reset}_t(t)$  as *false*, by definition of  $s_0$ ,  $\sigma_t^0("s\_reinit\_time\_counter") = \text{false}$ .

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the  $\mathcal{H}$ -VHDL initialization relation, the T design behavior (process `reinit_time_counter_evaluation`), and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ ,

we know  $\sigma_t^0("s\_reinit\_time\_counter") = \prod_{i=0}^{\Delta(id_t)(\text{"in\_arcs\_nb"})-1} \sigma_t^0("rt") (i)$ , where  $\Delta(id_t)(\text{"in\_arcs\_nb"})$  is the value of the generic constant "in\_arcs\_nb" stored in the elaborated design  $\Delta(id_t)$  (which, by property of the  $\mathcal{H}$ -VHDL elaboration relation, is an elaborated version of the T design).

Rewriting  $\sigma_t^0("s\_reinit\_time\_counter")$  as  $\prod_{i=0}^{\Delta(id_t)(\text{"in\_arcs\_nb"})-1} \sigma_t^0("rt") (i)$ ,

$\prod_{i=0}^{\Delta(id_t)(\text{"in\_arcs\_nb"})-1} \sigma_t^0("rt") (i) = \text{false}$ .

For all  $t \in T$  (resp.  $p \in P$ ), let  $\text{input}(t)$  (resp.  $\text{input}(p)$ ) be the set of input places of  $t$  (resp. input transitions of  $p$ ), and let  $\text{output}(t)$  (resp.  $\text{output}(p)$ ) be the set of output places of  $t$  (resp. output transitions of  $p$ ).

Case analysis on  $\text{input}(t)$  (2 CASES).

- **CASE**  $\text{input}(t) = \emptyset$ .

By construction,  $\langle \text{id}_t.\text{in\_arcs\_nb} \Rightarrow 1 \rangle \in gm_t$ , and by property of the elaboration relation,  $\Delta(id_t)(\text{"in\_arcs\_nb"}) = 1$ . By construction,  $\langle \text{id}_t.\text{rt}(0) \Rightarrow \text{false} \rangle \in ipm_t$ , and by property of the initialization relation,  $\sigma_t^0(\text{"rt"})(0) = \text{false}$ .

Rewriting  $\Delta(id_t)(\text{"in\_arcs\_nb"})$  as 1 and  $\sigma_t^0(\text{"rt"})(0)$  as *false*,

$$\prod_{i=0}^{\Delta(id_t)(\text{"in\_arcs\_nb"})-1} \sigma_t^0(\text{"rt"})(i) = \sigma_t^0(\text{"rt"})(0) = \text{false}.$$

- **CASE**  $\text{input}(t) \neq \emptyset$ .

We know  $\prod_{i=0}^{\Delta(id_t)(\text{"in\_arcs\_nb"})-1} \sigma_t^0(\text{"rt"})(i) = \text{false} \equiv \exists i \in [0, \Delta(id_t)(\text{"in\_arcs\_nb"}) - 1] \text{ s.t. } \sigma_t^0(\text{"rt"})(i) = \text{false}$ .

$$\boxed{\exists i \in [0, \Delta(id_t)(\text{"in\_arcs\_nb"}) - 1] \text{ s.t. } \sigma_t^0(\text{"rt"})(i) = \text{false}.}$$

Since  $\text{input}(t) \neq \emptyset$ ,  $\exists p \text{ s.t. } p \in \text{input}(t)$ . Let's take such a  $p \in \text{input}(t)$ .

By construction, for all  $p \in P$ , there exist  $id_p$  s.t.  $\gamma(p) = id_p$ .

By definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ .

By construction, for all  $p \in P, t \in T$  s.t.  $p \in \text{input}(t)$  and  $t \in \text{output}(p)$ , for all  $id_p, id_t$  s.t.  $\gamma(p) = id_p$  and  $\gamma(t) = id_t$ , for all  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$  and  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , there exist  $i \in [0, |\text{input}(t)| - 1], j \in [0, |\text{output}(p)| - 1]$ ,  $id_{ji}$  s.t.  $\langle \text{id}_p.\text{rtt}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{id}_t.\text{rt}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ . Let's take such a  $i, j$  and  $id_{ji}$ .

By construction, for all  $t \in T$  s.t.  $\text{input}(t) \neq \emptyset, id_t, gm_t, ipm_t, opm_t$  s.t.  $\gamma(t) = id_t$  and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , then  $\langle \text{id}_t.\text{in\_arcs\_nb} \Rightarrow |\text{input}(t)| \rangle \in gm_t$ .

By property of the  $\mathcal{H}$ -VHDL elaboration relation and  $\langle \text{id}_t.\text{in\_arcs\_nb} \Rightarrow |\text{input}(t)| \rangle \in gm_t$ , we know  $\Delta(id_t)(\text{"in\_arcs\_nb"}) = |\text{input}(t)|$ .

Rewriting  $\Delta(id_t)(\text{"in\_arcs\_nb"})$  as  $|\text{input}(t)|$ , we have  $i \in [0, \Delta(id_t)(\text{"in\_arcs\_nb"}) - 1]$ . Let's take that  $i$  to prove the goal.

$$\boxed{\sigma_t^0(\text{"rt"})(i) = \text{false}.}$$

By property of the  $\mathcal{H}$ -VHDL initialization relation and  $\langle \text{id}_t.\text{rt}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ , we know  $\sigma_t^0(\text{"rt"})(i) = \sigma_0(id_{ji})$ .

Rewriting  $\sigma_t^0(\text{"rt"})(i)$  as  $\sigma_0(id_{ji})$ ,  $\boxed{\sigma_0(id_{ji}) = \text{false}.}$

By property of the  $\mathcal{H}$ -VHDL elaboration and initialization relations, and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , there exists a  $\sigma_p^0 \in \Sigma(\Delta(id_p))$  s.t.  $\sigma_0(id_p) = \sigma_p^0$ .

By property of the  $\mathcal{H}$ -VHDL initialization relation and  $< \text{id}_p.\text{rtt}(j) \Rightarrow id_{ji} > \in opm_p$ , we know  $\sigma_0("id_{ji}") = \sigma_p^0("rtt")(j)$ .

Rewriting  $\sigma_0("id_{ji}")$  as  $\sigma_p^0("rtt")(j)$ ,  $\boxed{\sigma_p^0("rtt")(j) = \text{false}}$ .

By property of the  $\mathcal{H}$ -VHDL initialization relation, the P design behavior (process `reinit_transitions_time_evaluation`), and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , we know that for all  $j \in [0, \Delta(id_p)(\text{"out_arcs_nb"}) - 1]$ ,  $\sigma_p^0("rtt")(j) = \text{false}$ .

By construction, for all  $p \in P$  s.t.  $\text{output}(p) \neq \emptyset$ ,  $\text{id}_p \in \text{Comps}(\Delta), gm_p, ipm_p, opm_p$  s.t.  $\gamma(p) = id_p$  and  $\text{comp}(id_p, "transition", gm_p, ipm_p, opm_p) \in d.cs$ , then  $< \text{id}_p.\text{out_arcs_nb} \Rightarrow |\text{output}(p)| > \in gm_p$ .

By property of the  $\mathcal{H}$ -VHDL elaboration relation and  $< \text{id}_p.\text{out_arcs_nb} \Rightarrow |\text{output}(p)| > \in gm_p$ , we know  $\Delta(id_p)(\text{"out_arcs_nb"}) = |\text{output}(p)|$ .

Rewriting  $|\text{output}(p)|$  as  $\Delta(id_p)(\text{"out_arcs_nb"})$ , we have  $j \in [0, \Delta(id_p)(\text{"out_arcs_nb"}) - 1]$ . Then, we can deduce  $\boxed{\sigma_p^0("rtt")(j) = \text{false}}$ .

□

#### C.1.4 Initial states and condition values

**Lemma 14** (Initial States Equal Condition Values). *For all  $\text{sitpn} \in SITPN$ ,  $d \in \text{design}$ ,  $\gamma \in WM(\text{sitpn}, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Def. 10, then  $\forall c \in \mathcal{C}, id_c \in Ins(\Delta)$  s.t.  $\gamma(c) = id_c$ ,  $s_0.\text{cond}(c) = \sigma_0(id_c)$ .*

*Proof.* Given a  $c \in \mathcal{C}$  and an  $\text{id}_c \in Ins(\Delta)$  s.t.  $\gamma(c) = id_c$ , let's show that  $\boxed{s_0.\text{cond}(c) = \sigma_0(id_c)}$ .

Rewriting  $s_0.\text{cond}(c)$  as  $\text{false}$ , by definition of  $s_0$ ,  $\boxed{\sigma_0(id_c) = \text{false}}$ .

By construction,  $\text{id}_c$  is an input port identifier of boolean type in the  $\mathcal{H}$ -VHDL design  $d$ .

By property of the  $\mathcal{H}$ -VHDL elaboration relation,  $\sigma_e(id_c) = \text{false}$ , where  $\text{false}$  is the default value associated to signals of the boolean type during the elaboration (see definition of default value in chapter  $\mathcal{H}$ -VHDL semantics).

By property of the  $\mathcal{H}$ -VHDL initialization relation, we have  $\sigma_e(id_c) = \sigma_0(id_c)$  (i.e, input ports are not assigned during the initialization phase).

Rewriting  $\sigma_e(id_c)$  as  $\text{false}$ ,  $\boxed{\sigma_0(id_c) = \text{false}}$ .

□

#### C.1.5 Initial states and action executions

Correction:  $id_f$  is assigned by the reset block of the function process

**Lemma 15** (Initial States Equal Action Executions). *For all  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_H)$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Def. 10, then  $\forall a \in \mathcal{A}, id_a \in Outs(\Delta)$  s.t.  $\gamma(a) = id_a$ ,  $s_0.ex(a) = \sigma_0(id_a)$ .*

*Proof.* Given a  $a \in \mathcal{A}$  and an  $id_a \in Outs(\Delta)$  s.t.  $\gamma(a) = id_a$ , let's show that  $s_0.ex(a) = \sigma_0(id_a)$ .

Rewriting  $s_0.ex(a)$  as *false*, by definition of  $s_0$ ,  $\sigma_0(id_a) = false$ .

By construction,  $id_a$  is an output port identifier of boolean type in the  $\mathcal{H}$ -VHDL design  $d$ .

By property of the  $\mathcal{H}$ -VHDL elaboration relation,  $\sigma_e(id_a) = false$ , where *false* is the default value associated to signals of the boolean type during the elaboration (see definition of default value in chapter  $\mathcal{H}$ -VHDL semantics).

By construction, we know that the output port identifier  $id_a$  is assigned in the generated action process, only at the falling edge phase of the simulation cycle (i.e, the assignment takes place in a *falling* statement block).

By property of the  $\mathcal{H}$ -VHDL initialization relation, and we have  $\sigma_e(id_a) = \sigma_0(id_a)$  (i.e, process action is idle during the initialization phase).

Rewriting  $\sigma_e(id_a)$  as *false*,  $\sigma_0(id_a) = false$ .

□

### C.1.6 Initial states and function executions

Correction:  $id_f$  is assigned by the reset block of the function process

**Lemma 16** (Initial States Equal Function Executions). *For all  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_H)$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Def. 10, then  $\forall f \in \mathcal{F}, id_f \in Outs(\Delta)$  s.t.  $\gamma(f) = id_f$ ,  $s_0.ex(f) = \sigma_0(id_f)$ .*

*Proof.* Given a  $f \in \mathcal{F}$  and an  $id_f \in Outs(\Delta)$  s.t.  $\gamma(f) = id_f$ , let's show that  $s_0.ex(f) = \sigma_0(id_f)$ .

Rewriting  $s_0.ex(f)$  as *false*, by definition of  $s_0$ ,  $\sigma_0(id_f) = false$ .

By construction,  $id_f$  is an output port identifier of boolean type in the  $\mathcal{H}$ -VHDL design  $d$ .

By property of the  $\mathcal{H}$ -VHDL elaboration relation,  $\sigma_e(id_f) = false$ , where *false* is the default value associated to signals of the boolean type during the elaboration (see definition of default value in chapter  $\mathcal{H}$ -VHDL semantics).

By construction, we know that the output port identifier  $id_f$  is assigned in the generated function process (i.e, function is the process identifier), only at the rising edge phase of the simulation cycle (i.e, the assignment takes place in a *rising* statement block).

By property of the  $\mathcal{H}$ -VHDL initialization relation, and we have  $\sigma_e(id_f) = \sigma_0(id_f)$  (i.e, process function is idle during the initialization phase).

Rewriting  $\sigma_e(id_f)$  as *false*,  $\sigma_0(id_f) = false$ .

□

## C.2 First Rising Edge

**Definition 11** (First Rising Edge Hypotheses). *Given an  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_H)$ ,  $\sigma_e, \sigma_0, \sigma_i, \sigma_{\uparrow}, \sigma \in \Sigma(\Delta)$ ,  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ ,  $\tau \in \mathbb{N}$ , assume that:*

- $\lfloor sitpn \rfloor_H = (d, \gamma)$  and  $\mathcal{D}_H, \emptyset \vdash d \xrightarrow{elab} (\Delta, \sigma_e)$  and  $\gamma \vdash E_p \stackrel{env}{=} E_c$
- $\sigma_0$  is the initial state of  $\Delta$ :  $\Delta, \sigma_e \vdash d.cs \xrightarrow{init} \sigma_0$
- $E_c, \tau \vdash s_0 \xrightarrow{\uparrow_0} s_0$
- $\text{Inject}_{\uparrow}(\sigma_0, E_p, \tau, \sigma_i)$  and  $\Delta, \sigma_i \vdash d.cs \xrightarrow{\uparrow} \sigma_{\uparrow}$  and  $\Delta, \sigma_{\uparrow} \vdash d.cs \xrightarrow{\theta} \sigma$

**Lemma 17** (First Rising Edge). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_{\uparrow}, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Def. 11, then  $\gamma, E_c, \tau \vdash s_0 \xrightarrow{\uparrow} \sigma$ .*

*Proof.* By definition of Post rising edge state similarity, 6 subgoals.

1.  $\forall p \in P, id_p \in Comps(\Delta), \sigma_p \in \Sigma(\Delta(id_p))$  s.t.  $\gamma(p) = id_p$  and  $\sigma(id_p) = \sigma_p$ ,  $s_0.M(p) = \sigma_p("s\_marking")$ .
2.  $\forall t \in T_i, id_t \in Comps(\Delta), \sigma_t \in \Sigma(\Delta(id_t))$  s.t.  $\gamma(t) = id_t$  and  $\sigma(id_t) = \sigma_t$ ,  
 $upper(I_s(t)) = \infty \wedge s_0.I(t) \leq lower(I_s(t)) \Rightarrow s_0.I(t) = \sigma_t("s\_tc") \wedge$   
 $upper(I_s(t)) = \infty \wedge s_0.I(t) > lower(I_s(t)) \Rightarrow \sigma_t("s\_tc") = lower(I_s(t)) \wedge$   
 $upper(I_s(t)) \neq \infty \wedge s_0.I(t) > upper(I_s(t)) \Rightarrow \sigma_t("s\_tc") = upper(I_s(t)) \wedge$   
 $upper(I_s(t)) \neq \infty \wedge s_0.I(t) \leq upper(I_s(t)) \Rightarrow s_0.I(t) = \sigma_t("s\_tc")$ .
3.  $\forall t \in T_i, id_t \in Comps(\Delta), \sigma_t \in \Sigma(\Delta(id_t))$  s.t.  $\gamma(t) = id_t$  and  $\sigma(id_t) = \sigma_t$ ,  
 $s_0.reset_t(t) = \sigma_t("s\_reinit\_time\_counter")$ .
4.  $\forall a \in \mathcal{A}, id_a \in Outs(\Delta)$  s.t.  $\gamma(a) = id_a$ ,  $s_0.ex(a) = \sigma(id_a)$ .
5.  $\forall f \in \mathcal{F}, id_f \in Outs(\Delta)$  s.t.  $\gamma(f) = id_f$ ,  $s_0.ex(f) = \sigma(id_f)$ .
6.  $\forall t \in T_i, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ ,  
 $t \in Sens(s.M) \Leftrightarrow \sigma(id_t)("s\_enabled") = \text{true}$ .
7.  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ ,  
 $\sigma(id_t)("s\_condition\_combination") = \prod_{c \in cond(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$   
 $\text{where } cond(t) = \{c \in \mathcal{C} \mid \mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1\}$ .

- Apply Lemma First Rising Edge Equal Marking to solve 1.
- Apply Lemma First Rising Edge Equal Time Counters to solve 2.
- Apply Lemma First Rising Edge Equal Reset Orders to solve 3.
- Apply Lemma “First Rising Edge Equal Action Executions” to solve 4.

- Apply Lemma “First Rising Edge Equal Function Executions ” to solve 5.
- Apply Lemma “Rising Edge Equal Sensitized” to solve 6.
- Apply Lemma “Rising Edge Equal Condition Combination” to solve 7.

□

### C.2.1 First rising edge and marking

**Lemma 18** (First Rising Edge Equal Marking). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_{\uparrow}, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Def. 11, then  $\forall p \in P, id_p \in Comps(\Delta), \sigma_p \in \Sigma(\Delta(id_p))$  s.t.  $\gamma(p) = id_p$  and  $\sigma(id_p) = \sigma_p$ ,  $s_0.M(p) = \sigma_p("s\_marking")$ .*

*Proof.* Given a  $p, id_p, \sigma_p$  s.t.  $\gamma(p) = id_p$  and  $\sigma(id_p) = \sigma_p$ , let us show that  $s_0.M(p) = \sigma_p("s\_marking")$ . By definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ .

By property of the  $\mathcal{H}$ -VHDL elaboration relation, the  $\mathcal{H}$ -VHDL initialization relation, the  $\text{Inject}_{\uparrow}$  relation, the  $\mathcal{H}$ -VHDL rising edge relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , there exist a  $\sigma_p^e, \sigma_p^0, \sigma_p^{injr}, \sigma_p^r \in \Sigma(\Delta)$  s.t.  $\sigma_e(id_p) = \sigma_p^e$  and  $\sigma_0(id_p) = \sigma_p^0$  and  $\sigma_i(id_p) = \sigma_p^{injr}$  and  $\sigma_r(id_p) = \sigma_p^r$ .

From the elaboration to the end of the first rising edge phase, an internal state is associated with the P component instance  $id_p$  in the component store of the top-level design  $d$ .

By property of the  $\mathcal{H}$ -VHDL rising edge relation, the P design behavior (process “marking”), and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , then  $\sigma_p^r("s\_marking") = \sigma_p^{injr}("s\_marking") + \sigma_p^{injr}("s\_input\_token\_sum") - \sigma_p^{injr}("s\_output\_token\_sum")$ .

Result of the execution of the process “marking” that performs the signal assignment  
 $s\_marking \Leftarrow s\_marking + s\_input\_token\_sum - s\_output\_token\_sum$ .

By property of the  $\mathcal{H}$ -VHDL stabilize relation, the P design behavior (process “marking”), and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , then  $\sigma_p^r("s\_marking") = \sigma_p("s\_marking")$ .

As it is only assigned by the process “marking”, and as the process “marking” is never executed during the stabilization phase, the “ $s\_marking$ ” signal has an invariant value during the stabilization phase.

Rewriting  $\sigma_p("s\_marking")$  as  $\sigma_p^r("s\_marking")$ , and  $\sigma_p^r("s\_marking")$  as  $\sigma_p^{injr}("s\_marking") + \sigma_p^{injr}("s\_input\_token\_sum") - \sigma_p^{injr}("s\_output\_token\_sum")$ ,  
 $s_0.M(p) = \sigma_p^{injr}("s\_marking") + \sigma_p^{injr}("s\_input\_token\_sum") - \sigma_p^{injr}("s\_output\_token\_sum")$ .

By property of the  $\text{Inject}_{\uparrow}$  relation,  $\sigma_p^{injr}("s\_marking") = \sigma_p^0("s\_marking")$  and  
 $\sigma_p^{injr}("s\_input\_token\_sum") = \sigma_p^0("s\_input\_token\_sum")$  and  
 $\sigma_p^{injr}("s\_output\_token\_sum") = \sigma_p^0("s\_output\_token\_sum")$ . Rewriting the above,

$s_0.M(p) = \sigma_p^0("s\_marking") + \sigma_p^0("s\_input\_token\_sum") - \sigma_p^0("s\_output\_token\_sum")$ .

Detail the two lemmas giving this property.

By property of the  $\mathcal{H}$ -VHDL initialization relation,  $\sigma_p^0("s\_input\_token\_sum") = 0$  and  $\sigma_p^0("s\_output\_token\_sum") = 0$ . Rewriting the above,  $s_0.M(p) = \sigma_p^0("s\_marking")$ .

Applying the **Initial States Equal Marking** lemma,  $s_0.M(p) = \sigma_p^0("s\_marking")$ .  $\square$

### C.2.2 First rising edge and time counters

**Lemma 19** (First Rising Edge Equal Time Counters). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_r, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Def. 11, then*

$$\begin{aligned} \forall t \in T_i, id_t \in Comps(\Delta), \sigma_t \in \Sigma(\Delta(id_t)) \text{ s.t. } \gamma(t) = id_t \text{ and } \sigma(id_t) = \sigma_t, \\ upper(I_s(t)) = \infty \wedge s_0.I(t) \leq lower(I_s(t)) \Rightarrow s_0.I(t) = \sigma_t("s\_tc") \wedge \\ upper(I_s(t)) = \infty \wedge s_0.I(t) > lower(I_s(t)) \Rightarrow \sigma_t("s\_tc") = lower(I_s(t)) \wedge \\ upper(I_s(t)) \neq \infty \wedge s_0.I(t) > upper(I_s(t)) \Rightarrow \sigma_t("s\_tc") = upper(I_s(t)) \wedge \\ upper(I_s(t)) \neq \infty \wedge s_0.I(t) \leq upper(I_s(t)) \Rightarrow s_0.I(t) = \sigma_t("s\_tc"). \end{aligned}$$

*Proof.* Given a  $t \in T_i$ , an  $id_t \in Comps(\Delta)$  and a  $\sigma_t \in \Sigma(\Delta(id_t))$  s.t.  $\gamma(t) = id_t$  and  $\sigma(id_t) = \sigma_t$ , let's show that:

1.  $upper(I_s(t)) = \infty \wedge s_0.I(t) \leq lower(I_s(t)) \Rightarrow s_0.I(t) = \sigma_t("s\_tc")$
2.  $upper(I_s(t)) = \infty \wedge s_0.I(t) > lower(I_s(t)) \Rightarrow \sigma_t("s\_tc") = lower(I_s(t))$
3.  $upper(I_s(t)) \neq \infty \wedge s_0.I(t) > upper(I_s(t)) \Rightarrow \sigma_t("s\_tc") = upper(I_s(t))$
4.  $upper(I_s(t)) \neq \infty \wedge s_0.I(t) \leq upper(I_s(t)) \Rightarrow s_0.I(t) = \sigma_t("s\_tc")$

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the  $\mathcal{H}$ -VHDL elaboration relation, the  $\mathcal{H}$ -VHDL initialization relation, the  $\text{Inject}_\uparrow$  relation, the  $\mathcal{H}$ -VHDL rising edge relation and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , there exist a  $\sigma_t^e, \sigma_t^0, \sigma_t^{injr}, \sigma_t^r \in \Sigma(\Delta)$  s.t.  $\sigma_e(id_t) = \sigma_t^e$  and  $\sigma_0(id_t) = \sigma_t^0$  and  $\sigma_i(id_t) = \sigma_t^{injr}$  and  $\sigma_r(id_t) = \sigma_t^r$ .

From the elaboration to the end of the first rising edge phase, an internal state is associated with the T component instance  $id_t$  in the component store of the top-level design  $d$ .

Then, let's show the 4 previous subgoals.

1. Assume  $upper(I_s(t)) = \infty \wedge s_0.I(t) \leq lower(I_s(t))$ , then show  $s_0.I(t) = \sigma_t("s\_tc")$ .  
By property of the  $\text{Inject}_\uparrow$  relation, the  $\mathcal{H}$ -VHDL rising edge and stabilize relations, and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ ,  $\sigma_t("s\_tc") = \sigma_t^0("s\_tc")$ .
  - The above equality is deduced from the two following facts:
    - The process "time\_counter" is the only process that assigns signal  $s\_tc$  in the T component behavior, and it is never executed during the rising edge and stabilization phases.

- The values of component instances' internal signals are invariant through the  $\text{Inject}_\uparrow$  relation.

Rewriting  $\sigma_t("s\_tc")$  as  $\sigma_t^0("s\_tc")$ ,  $s_0.I(t) = \sigma_t^0("s\_tc")$ .

Applying the **Initial States Equal Time Counters** lemma,  $s_0.I(t) = \sigma_t^0("s\_tc")$ .

- Assume  $upper(I_s(t)) = \infty \wedge s_0.I(t) > lower(I_s(t))$ , then show  $\sigma_t("s\_tc") = lower(I_s(t))$ . By definition,  $lower(I_s(t)) \in \mathbb{N}^*$  and  $s_0.I(t) = 0$ . Then,  $lower(I_s(t)) < 0$  is a contradiction.
- Assume  $upper(I_s(t)) \neq \infty \wedge s_0.I(t) > upper(I_s(t))$ , then show  $\sigma_t("s\_tc") = upper(I_s(t))$ . By definition,  $upper(I_s(t)) \in \mathbb{N}^*$  and  $s_0.I(t) = 0$ . Then,  $upper(I_s(t)) < 0$  is a contradiction.
- Assume  $upper(I_s(t)) \neq \infty \wedge s_0.I(t) \leq upper(I_s(t))$ , then show  $s_0.I(t) = \sigma_t("s\_tc")$ .

By property of the  $\text{Inject}_\uparrow$  relation, the  $\mathcal{H}$ -VHDL rising edge and stabilize relations, and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ ,  $\sigma_t("s\_tc") = \sigma_t^0("s\_tc")$ .

Rewriting  $\sigma_t("s\_tc")$  as  $\sigma_t^0("s\_tc")$ ,  $s_0.I(t) = \sigma_t^0("s\_tc")$ .

Applying the **Initial States Equal Time Counters** lemma,  $s_0.I(t) = \sigma_t^0("s\_tc")$ .

□

### C.2.3 First rising edge and reset orders

**Lemma 20** (First Rising Edge Equal Reset Orders). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_\uparrow, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Def. 11, then*

$\forall t \in T, id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ ,  
 $s_0.reset_t(t) = \sigma(id_t)(“s\_reinit\_time\_counter”)$ .

*Proof.* Given a  $t \in T$  and an  $id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show that  $s_0.reset_t(t) = \sigma(id_t)(“srtc”)$ .

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the  $\mathcal{H}$ -VHDL stabilize relation and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ ,

then  $\sigma(id_t)(“srtc”) = \sum_{i=0}^{\Delta(id_t)(“input\_arcs\_number”)-1} \sigma(id_t)(“reinit\_time”)[i]$ .

$$s_0.reset_t(t) = \sum_{i=0}^{\Delta(id_t)(“ian”)-1} \sigma(id_t)(“rt”)[i].$$

Case analysis on  $input(t)$  (2 CASES):

- CASE**  $input(t) = \emptyset$ :

By construction,  $<\text{input\_arcs\_number} \Rightarrow 1> \in gm_t$ , and by property of the  $\mathcal{H}$ -VHDL elaboration relation, then  $\Delta(id_t)(“ian”) = 1$ . By construction,  $<\text{reinit\_time}(0) \Rightarrow \text{false}> \in ipm_t$ ,

and by property of the  $\mathcal{H}$ -VHDL stabilize relation,  $\sigma(id_t)(\text{"rt"})[0] = \text{false}$ .

Rewriting  $\Delta(id_t)(\text{"ian"})$  as 1 and  $\sigma(id_t)(\text{"rt"})[0]$  as  $\text{false}$ , and by definition of  $s_0$ ,  $s_0.reset_t(t) = \sum_{i=0}^{\Delta(\text{"ian"})-1} \sigma(id_t)(\text{"rt"})[i]$

- CASE  $input(t) \neq \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow |input(t)| \rangle \in gm_t$ , and by property of the  $\mathcal{H}$ -VHDL elaboration relation, then  $\Delta(id_t)(\text{"ian"}) = |input(t)|$ .

Rewriting  $\Delta(id_t)(\text{"ian"})$  as  $|input(t)|$ ,  $s_0.reset_t(t) = \sum_{i=0}^{|input(t)|-1} \sigma(id_t)(\text{"rt"})[i]$ .

By definition of  $s_0$ ,  $s_0.reset_t(t) = \text{false}$ . Rewriting  $s_0.reset_t(t)$  as  $\text{false}$ ,

$$\sum_{i=0}^{|input(t)|-1} \sigma(id_t)(\text{"rt"})[i] = \text{false}.$$

Given a  $i \in [0, |input(t)| - 1]$ , let us show  $\sigma(id_t)(\text{"rt"})[i] = \text{false}$ .

By construction, and  $input(t) \neq \emptyset$ , there exist  $p \in input(t)$  and  $id_p \in \text{Comps}(\Delta)$  s.t.  $\gamma(p) = id_p$ .

By definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ . By construction for all  $i \in [0, |input(t)| - 1]$ , there exist  $j \in [0, |output(p)| - 1]$  and  $id_{ji} \in Sigs(\Delta)$  s.t.  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ .

By property of the  $\mathcal{H}$ -VHDL stabilize relation,  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ , then  $\sigma(id_t)(\text{"rt"})[i] = \sigma(id_{ji}) = \sigma(id_p)(\text{"rtt"})[j]$ .

Rewriting  $\sigma(id_t)(\text{"rt"})[i]$  as  $\sigma(id_{ji})$  and  $\sigma(id_{ji})$  as  $\sigma(id_p)(\text{"rtt"})[j]$ ,  $\sigma(id_p)(\text{"rtt"})[j] = \text{false}$ .

By property of the  $\mathcal{H}$ -VHDL rising edge and stabilize relations,

$$\begin{aligned} \sigma(id_p)(\text{"rtt"})[j] &= ((\sigma_0(id_p)(\text{"oat"})[j] = \text{BASIC} + \sigma_0(id_p)(\text{"oat"})[j] = \text{TEST}) \\ &\quad \cdot (\sigma_0(id_p)(\text{"sm"}) - \sigma_0(id_p)(\text{"sots"}) < \sigma_0(id_p)(\text{"oaw"})[j])) \\ &\quad \cdot (\sigma_0(id_p)(\text{"sots"}) > 0)) \\ &\quad + (\sigma_0(id_p)(\text{"otf"})[j]) \end{aligned}$$

Rewriting the goal with the above equation,

$$\begin{aligned} \text{false} &= ((\sigma_0(id_p)(\text{"oat"})[j] = \text{BASIC} + \sigma_0(id_p)(\text{"oat"})[j] = \text{TEST}) \\ &\quad \cdot (\sigma_0(id_p)(\text{"sm"}) - \sigma_0(id_p)(\text{"sots"}) < \sigma_0(id_p)(\text{"oaw"})[j])) \\ &\quad \cdot (\sigma_0(id_p)(\text{"sots"}) > 0)) \\ &\quad + (\sigma_0(id_p)(\text{"otf"})[j])) \end{aligned}$$

Add a lemma + proof in section initial states for fired = false after initialization.

By property of the  $\mathcal{H}$ -VHDL initialization and the  $\text{Inject}_\uparrow$  relations, then  $\sigma_0(id_p)(\text{"otf"})[j] = \text{false}$ . Rewriting  $\sigma_0(id_p)(\text{"otf"})[j]$  as  $\text{false}$  and simplifying the goal,

$$\begin{aligned} \text{false} = & ((\sigma_0(id_p)(\text{"oat"})[j] = \text{BASIC} + \sigma_0(id_p)(\text{"oat"})[j] = \text{TEST}) \\ & \cdot (\sigma_0(id_p)(\text{"sm"}) - \sigma_0(id_p)(\text{"sots"}) < \sigma_0(id_p)(\text{"oaw"})[j])) \\ & \cdot (\sigma_0(id_p)(\text{"sots"}) > 0)) \end{aligned}$$

Add a lemma + proof in section initial states for output token sum = 0 after initialization.

By property of the  $\mathcal{H}$ -VHDL initialization and the  $\text{Inject}_\uparrow$  relations, then  $\sigma_0(id_p)(\text{"sots"}) = 0$ .  
Rewriting  $\sigma_0(id_p)(\text{"sots"})$  as 0 and simplifying the goal,  $\text{false} = \text{false}$

□

#### C.2.4 First rising edge and action executions

**Lemma 21** (First Rising Edge Equal Action Executions). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_\uparrow, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Def. 11, then*

$$\forall a \in \mathcal{A}, id_a \in \text{Outs}(\Delta) \text{ s.t. } \gamma(a) = id_a, s_0.\text{ex}(a) = \sigma(id_a).$$

*Proof.* Given an  $a \in \mathcal{A}$  and an  $id_a \in \text{Outs}(\Delta)$  s.t.  $\gamma(a) = id_a$ , let us show that  $s_0.\text{ex}(a) = \sigma(id_a)$ .

Rewriting  $s_0.\text{ex}(a)$  as  $\text{false}$ , by definition of  $s_0$ ,  $\sigma(id_a) = \text{false}$ .

By construction,  $id_a$  is an output port identifier of boolean type in the  $\mathcal{H}$ -VHDL design  $d$  assigned only during a falling edge phase in the “action” process.

By property of the  $\mathcal{H}$ -VHDL  $\text{Inject}_\uparrow$ , rising edge and stabilize relations, then  $\sigma(id_a) = \sigma_0(id_a)$ .

Thanks to the Lemma **Initial States Equal Action Executions**,  $\sigma_0(id_a) = \text{false}$ .

Rewriting  $\sigma(id_a)$  as  $\sigma_0(id_a)$ , and  $\sigma_0(id_a)$  as  $\text{false}$ ,  $\text{false} = \text{false}$ .

□

#### C.2.5 First rising edge and function executions

**Lemma 22** (First Rising Edge Equal Function Executions). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_\uparrow, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Def. 11, then*

$$\forall f \in \mathcal{F}, id_f \in \text{Outs}(\Delta) \text{ s.t. } \gamma(f) = id_f, s_0.\text{ex}(f) = \sigma(id_f).$$

*Proof.* Given an  $f \in \mathcal{F}$  and an  $id_f \in \text{Outs}(\Delta)$  s.t.  $\gamma(f) = id_f$ , let us show that  $s_0.\text{ex}(f) = \sigma(id_f)$ .

Rewriting  $s_0.\text{ex}(f)$  as  $\text{false}$ , by definition of  $s_0$ ,  $\sigma(id_f) = \text{false}$ .

By construction, the “function” process is a part of design  $d$ ’s behavior, i.e  $\text{ps}(\text{"function"}, \emptyset, sl, ss) \in d.cs$ .

By construction  $id_f$  is an output port of design  $d$ , and it is only assigned in the body of the “function” process. Let  $trs(f)$  be the set of transitions associated to function  $f$ , i.e  $trs(f) = \{t \in T \mid \text{F}(t, f) = \text{true}\}$ . Then, depending on  $trs(f)$ , there are two cases of assignment of output port  $id_f$ :

- **CASE**  $\text{trs}(f) = \emptyset$ :

By construction,  $\text{id}_f \Leftarrow \text{false} \in ss_{\uparrow}$  where  $ss_{\uparrow}$  is the part of the “function” process body executed during the rising edge phase.

By property of the  $\mathcal{H}$ -VHDL rising edge and the stabilize relation, then

$$\sigma(id_f) = \text{false}.$$

- **CASE**  $\text{trs}(f) \neq \emptyset$ :

By construction,  $\text{id}_f \Leftarrow \text{id}_{ft_0} + \dots + \text{id}_{ft_n} \in ss_{\uparrow}$  where  $ss_{\uparrow}$  is the part of the “function” process body executed during the rising edge phase, and  $n = |\text{trs}(f)| - 1$ , and for all  $i \in [0, n - 1]$ ,  $\text{id}_{ft_i}$  is a internal signal of design  $d$ .

By property of the  $\text{Inject}_{\uparrow}$ , the  $\mathcal{H}$ -VHDL rising edge and stabilize relation, then  $\sigma(id_f) = \sigma_0(id_{ft_0}) + \dots + \sigma_0(id_{ft_n})$ .

Rewriting  $\sigma(id_f)$  as  $\sigma_0(id_{ft_0}) + \dots + \sigma_0(id_{ft_n})$ , then

$$\sigma_0(id_{ft_0}) + \dots + \sigma_0(id_{ft_n}) = \text{false}.$$

By construction, for all  $\text{id}_{ft_i}$ , there exist a  $t_i \in \text{trs}(f)$  and an  $\text{id}_{t_i}$  s.t.  $\gamma(t_i) = \text{id}_{t_i}$ .

By definition of  $\text{id}_{t_i}$ , there exist  $gm_{t_i}$ ,  $ipm_{t_i}$  and  $opm_{t_i}$  s.t.  
 $\text{comp}(\text{id}_{t_i}, "transition", gm_{t_i}, ipm_{t_i}, opm_{t_i}) \in d.cs$ .

By construction,  $\langle \text{fired} \Rightarrow \text{id}_{ft_i} \rangle \in opm_{t_i}$ , and by property of the initialization relation  $\sigma_0(id_{ft_i}) = \sigma_0(id_{t_i})(\text{"fired"})$ .

Rewriting  $\sigma_0(id_{ft_i})$  as  $\sigma_0(id_{t_i})(\text{"fired"})$ , then

$$\sigma_0(id_{t_0})(\text{"fired"}) + \dots + \sigma_0(id_{t_n})(\text{"fired"}) = \text{false}.$$

By property of the initialization relation, we know that for all  $t \in T$  and  $\text{id}_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = \text{id}_t$ , then  $\sigma_0(id_t)(\text{"fired"}) = \text{false}$ .

Rewriting all  $\sigma_0(id_{t_i})(\text{"fired"})$  as  $\text{false}$  and simplifying the goal, then

$$\text{false} = \text{false}.$$

□

### C.3 Rising Edge

**Definition 12** (Rising Edge Hypotheses). *Given an  $sitpn \in SITPN$ ,  $d \in \text{design}$ ,  $\gamma \in WM(sitpn, d)$ ,  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow \text{value}$ ,  $\tau \in \mathbb{N}$ ,  $s, s' \in S(sitpn)$ ,  $\sigma_e, \sigma, \sigma_i, \sigma_{\uparrow}, \sigma' \in \Sigma(\Delta)$ , assume that:*

- $\lfloor sitpn \rfloor_{\mathcal{H}} = (d, \gamma)$  and  $\gamma \vdash E_p \stackrel{env}{=} E_c$  and  $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{elab} \Delta, \sigma_e$
- $\gamma \vdash s \overset{\downarrow}{\sim} \sigma$
- $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$
- $\text{Inject}_{\uparrow}(\sigma, E_p, \tau, \sigma_i)$  and  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma_i \vdash d.cs \xrightarrow{\uparrow} \sigma_{\uparrow}$  and  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma_{\uparrow} \vdash d.cs \xrightarrow{\rightsquigarrow} \sigma'$
- State  $\sigma$  is a stable design state:  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma \vdash d.cs \xrightarrow{comb} \sigma$

### C.3.1 Rising Edge and Marking

**Lemma 23** (Rising Edge Equal Marking). *For all  $sitpn$ ,  $d$ ,  $\gamma$ ,  $E_c$ ,  $E_p$ ,  $\tau$ ,  $\Delta$ ,  $\sigma_e$ ,  $s$ ,  $s'$ ,  $\sigma$ ,  $\sigma_i$ ,  $\sigma_\uparrow$ ,  $\sigma'$  that verify the hypotheses of Def. 12, then  $\forall p, id_p$  s.t.  $\gamma(p) = id_p$  and  $\sigma'(id_p) = \sigma'_p$ ,  $s'.M(p) = \sigma'_p("s_marking")$ .*

*Proof.* Given a  $p \in P$ , let us show  $s'.M(p) = \sigma'(id_p)("s_marking")$ .

By definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ . By definition of the SITPN state transition relation on rising edge:

$$s'.M(p) = s.M(p) - \sum_{t \in Fired(s)} pre(p, t) + \sum_{t \in Fired(s)} post(t, p) \quad (\text{C.1})$$

By property of the  $\text{Inject}_\uparrow$ , the  $\mathcal{H}$ -VHDL rising edge and the stabilize relations, and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ :

$$\begin{aligned} \sigma'(id_p)(“sm”) &= \sigma(id_p)(“sm”) - \sigma(id_p)(“s_output_token_sum”) \\ &\quad + \sigma(id_p)(“s_input_token_sum”) \end{aligned} \quad (\text{C.2})$$

By definition of the **Full post falling edge state similarity** relation:

$$s.M(p) = \sigma(id_p)(“sm”) \quad (\text{C.3})$$

$$\sum_{t \in Fired(s)} pre(p, t) = \sigma(id_p)(“sots”) \quad (\text{C.4})$$

$$\sum_{t \in Fired(s)} post(t, p) = \sigma(id_p)(“sits”) \quad (\text{C.5})$$

Rewriting the goal with C.1, C.2, C.3, C.4 and C.5, **tautology**.

□

### C.3.2 Rising edge and condition combination

**Lemma 24** (Rising Edge Equal Condition Combination). *For all  $sitpn$ ,  $d$ ,  $\gamma$ ,  $E_c$ ,  $E_p$ ,  $\tau$ ,  $\Delta$ ,  $\sigma_e$ ,  $s$ ,  $s'$ ,  $\sigma$ ,  $\sigma_i$ ,  $\sigma_\uparrow$ ,  $\sigma'$  that verify the hypotheses of Def. 12, then*

$\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ ,

$$\sigma'(id_t)(“s_condition_combination”) = \prod_{c \in cond(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

where  $cond(t) = \{c \in \mathcal{C} \mid \mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1\}$ .

*Proof.* Given a  $t$  and an  $id_t$  s.t.  $\gamma(t) = id_t$ , let us show

$$\sigma'(id_t)(“s_condition_combination”) = \prod_{c \in cond(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the  $\mathcal{H}$ -VHDL stabilize relation, and

$\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ :

$$\sigma'(id_t)(“scc”) = \prod_{i=0}^{\Delta(id_t)(“conditions_number”)-1} \sigma'(id_t)(“input_conditions”)[i] \quad (\text{C.6})$$

Rewriting the goal with C.6,

$$\prod_{i=0}^{\Delta(id_t)(cn'')-1} \sigma'(id_t)(ic'')[i] = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

Case analysis on  $\text{conds}(t)$  (2 CASES):

- **CASE**  $\text{conds}(t) = \emptyset$ :

$$\prod_{i=0}^{\Delta(id_t)(cn'')-1} \sigma'(id_t)(ic'')[i] = \text{true}.$$

By construction,  $\langle \text{conditions\_number} \Rightarrow 1 \rangle \in gm_t$  and  $\langle \text{input\_conditions}(0) \Rightarrow \text{true} \rangle \in ipm_t$ .

By property of the stabilize relation,  $\langle \text{conditions\_number} \Rightarrow 1 \rangle \in gm_t$  and  $\langle \text{input\_conditions}(0) \Rightarrow \text{true} \rangle \in ipm_t$ :

$$\Delta(id_t)(cn'') = 1 \quad (\text{C.7})$$

$$\sigma'(id_t)(ic'')[0] = \text{true} \quad (\text{C.8})$$

Rewriting the goal with C.7 and C.8, tautology.

- **CASE**  $\text{conds}(t) \neq \emptyset$ :

By construction,  $\langle \text{conditions\_number} \Rightarrow |\text{conds}(t)| \rangle \in gm_t$ , and by property of the stabilize relation:

$$\Delta(id_t)(cn'') = |\text{conds}(t)| \quad (\text{C.9})$$

Rewriting the goal with (C.9),

$$\prod_{i=0}^{|\text{conds}(t)|-1} \sigma'(id_t)(ic'')[i] = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

Applying Theorem ??, there are two points to prove:

$$1. \quad |\text{conds}(t)| = |\text{conds}(t)|$$

$$2. \quad \exists \text{ an injection } \iota \in [0, |\text{conds}(t)| - 1] \rightarrow \text{conds}(t) \text{ s.t.}$$

$$\forall i \in [0, |\text{conds}(t)| - 1], \sigma'(id_t)(ic'')[i] = \begin{cases} E_c(\tau, \iota(i)) & \text{if } \mathbb{C}(t, \iota(i)) = 1 \\ \text{not}(E_c(\tau, \iota(i))) & \text{if } \mathbb{C}(t, \iota(i)) = -1 \end{cases}$$

By construction, there exists a bijection  $\beta \in [0, |\text{conds}(t)| - 1] \rightarrow \text{conds}(t)$  such that for all  $i \in [0, |\text{conds}(t)| - 1]$ , there exists an  $id_c \in \text{Ins}(\Delta)$  and:

- $\gamma(\beta(i)) = id_c$
- $\mathbb{C}(t, \beta(i)) = 1$  implies  $\langle \text{input\_conditions}(i) \Rightarrow \text{id}_c \rangle \in ipm_t$
- $\mathbb{C}(t, \beta(i)) = -1$  implies  $\langle \text{input\_conditions}(i) \Rightarrow \text{not id}_c \rangle \in ipm_t$

Let us take such a bijection  $\beta$  to prove the goal. Then, given an  $i \in [0, |\text{conds}(t)| - 1]$ , let us show

$$\sigma'(\text{id}_t)(\text{"ic"})[i] = \begin{cases} E_c(\tau, \beta(i)) & \text{if } \mathbb{C}(t, \beta(i)) = 1 \\ \text{not}(E_c(\tau, \beta(i))) & \text{if } \mathbb{C}(t, \beta(i)) = -1 \end{cases}$$

By definition of  $\beta(i) \in \text{conds}(t)$ :

$$\mathbb{C}(t, \beta(i)) = 1 \vee \mathbb{C}(t, \beta(i)) = -1 \quad (\text{C.10})$$

Case analysis on (C.10):

- CASE  $\mathbb{C}(t, \beta(i)) = 1$ :  $\boxed{\sigma'(\text{id}_t)(\text{"ic"})[i] = E_c(\tau, \beta(i))}$

By property of  $\beta$ , there exists  $\text{id}_c \in \text{Ins}(\Delta)$  s.t.  $\gamma(\beta(i)) = \text{id}_c$  and  
 $\langle \text{input\_conditions}(i) \Rightarrow \text{id}_c \rangle \in \text{ipm}_t$ .

By property of the stabilize relation and  $\langle \text{input\_conditions}(i) \Rightarrow \text{id}_c \rangle \in \text{ipm}_t$ :

$$\sigma'(\text{id}_t)(\text{"ic"})[i] = \sigma'(\text{id}_c) \quad (\text{C.11})$$

By property of the  $\mathcal{H}$ -VHDL rising edge and stabilize relations, and  $\text{id}_c \in \text{Ins}(\Delta)$ :

$$\sigma'(\text{id}_c) = \sigma_i(\text{id}_c) \quad (\text{C.12})$$

By property of the  $\text{Inject}_{\uparrow}$  relation and  $\text{id}_c \in \text{Ins}(\Delta)$ :

$$\sigma_i(\text{id}_c) = E_p(\tau, \uparrow)(\text{id}_c) \quad (\text{C.13})$$

By property of  $\gamma \vdash E_p \xrightarrow{\text{env}} E_c$ :

$$E_p(\tau, \uparrow)(\text{id}_c) = E_c(\tau, c) \quad (\text{C.14})$$

Rewriting the goal with (C.11), (C.12), (C.13), (C.14), tautology.

- CASE  $\mathbb{C}(t, c) = -1$ :  $\boxed{\sigma'(\text{id}_t)(\text{"ic"})[i] = \text{not } E_c(\tau, \beta(i))}$

By property of  $\beta$ , there exists  $\text{id}_c \in \text{Ins}(\Delta)$  s.t.  $\gamma(\beta(i)) = \text{id}_c$  and  
 $\langle \text{input\_conditions}(i) \Rightarrow \text{not id}_c \rangle \in \text{ipm}_t$ .

By property of the stabilize relation and  $\langle \text{input\_conditions}(i) \Rightarrow \text{not id}_c \rangle \in \text{ipm}_t$ :

$$\sigma'(\text{id}_t)(\text{"ic"})[i] = \text{not } \sigma'(\text{id}_c) \quad (\text{C.15})$$

Then, equations (C.12), (C.13) and (C.14) also hold this case.

Rewriting the goal with (C.15), (C.12), (C.13) and (C.14), tautology.

□

### C.3.3 Rising edge and time counters

**Lemma 25** (Rising Edge Equal Time Counters). *For all  $\text{sitpn}, d, \gamma, E_c, E_p, \tau, \Delta, \sigma_e, s, s', \sigma, \sigma_i, \sigma_{\uparrow}, \sigma'$  that verify the hypotheses of Def. 12, then*  
 $\forall t \in T_i, \text{id}_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = \text{id}_t$ ,

$$\begin{aligned}
& (\text{upper}(I_s(t)) = \infty \wedge s'.I(t) \leq \text{lower}(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"}) \\
& \wedge (\text{upper}(I_s(t)) = \infty \wedge s'.I(t) > \text{lower}(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s\_time\_counter"}) = \text{lower}(I_s(t))) \\
& \wedge (\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) > \text{upper}(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s\_time\_counter"}) = \text{upper}(I_s(t))) \\
& \wedge (\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) \leq \text{upper}(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"})). 
\end{aligned}$$

*Proof.* Given a  $t \in T_i$  and an  $id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show

$$\begin{aligned}
& (\text{upper}(I_s(t)) = \infty \wedge s'.I(t) \leq \text{lower}(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"}) \\
& \wedge (\text{upper}(I_s(t)) = \infty \wedge s'.I(t) > \text{lower}(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s\_time\_counter"}) = \text{lower}(I_s(t))) \\
& \wedge (\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) > \text{upper}(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s\_time\_counter"}) = \text{upper}(I_s(t))) \\
& \wedge (\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) \leq \text{upper}(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"}))
\end{aligned}$$

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ .

Then, there are 4 points to show:

$$1. \boxed{\text{upper}(I_s(t)) = \infty \wedge s'.I(t) \leq \text{lower}(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"})}$$

Assuming  $\text{upper}(I_s(t)) = \infty$  and  $s'.I(t) \leq \text{lower}(I_s(t))$ , let us show

$$\boxed{s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"}).$$

By property of the  $\text{Inject}_{\uparrow}$ ,  $\mathcal{H}$ -VHDL rising edge and stabilize relations, and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ :

$$\sigma'(id_t)(\text{"s\_time\_counter"}) = \sigma(id_t)(\text{"s\_time\_counter"}) \quad (\text{C.16})$$

By property of  $\gamma \vdash s \stackrel{\downarrow}{\sim} \sigma$ :

$$s.I(t) = \sigma(id_t)(\text{"s\_time\_counter"}) \quad (\text{C.17})$$

Rewriting the goal with (C.16) and (C.17), tautology.

$$2. \boxed{\text{upper}(I_s(t)) = \infty \wedge s'.I(t) > \text{lower}(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s\_time\_counter"}) = \text{lower}(I_s(t))}$$

Proved in the same fashion as 1.

$$3. \boxed{\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) > \text{upper}(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s\_time\_counter"}) = \text{upper}(I_s(t))}$$

Proved in the same fashion as 1.

$$4. \boxed{\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) \leq \text{upper}(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"})}$$

Proved in the same fashion as 1.

□

### C.3.4 Rising edge and reset orders

**Lemma 26** (Rising Edge Equal Reset Orders). *For all  $sitpn, d, \gamma, E_c, E_p, \tau, \Delta, \sigma_e, s, s', \sigma, \sigma_i, \sigma_{\uparrow}, \sigma'$  that verify the hypotheses of Def. 12, then*

$\forall t \in T_i, id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t, s'.reset_t(t) = \sigma'(id_t)(\text{"s\_reinit\_time\_counter"})$

*Proof.* Given a  $t \in T_i$  and an  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show

$$s'.reset_t(t) = \sigma'(id_t)(\text{"s\_reinit\_time\_counter"}).$$

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the  $\mathcal{H}$ -VHDL stabilize relation and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ :

$$\sigma'(id_t)(\text{"srtc"}) = \sum_{i=0}^{\Delta(id_t)(\text{"input\_arcs\_number"})-1} \sigma'(id_t)(\text{"reinit\_time"})[i] \quad (\text{C.18})$$

Rewriting the goal with (C.18),  $s'.reset_t(t) = \sum_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"rt"})[i].$

Case analysis on  $input(t)$  (2 CASES):

- **CASE**  $input(t) = \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow 1 \rangle \in gm_t$ , and by property of the elaboration relation:

$$\Delta(id_t)(\text{"ian"}) = 1 \quad (\text{C.19})$$

By construction, there exists an  $id_{ft} \in Sigs(\Delta)$  s.t.  $\langle \text{reinit\_time}(0) \Rightarrow id_{ft} \rangle \in ipm_t$  and  $\langle \text{fired} \Rightarrow id_{ft} \rangle \in opm_t$ , and by property of the  $\mathcal{H}$ -VHDL stabilize relation and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ :

$$\sigma'(id_t)(\text{"rt"})[0] = \sigma'(id_{ft}) \quad (\text{C.20})$$

$$\sigma'(id_{ft}) = \sigma'(id_t)(\text{"fired"}) \quad (\text{C.21})$$

$$\sigma'(id_t)(\text{"fired"}) = \sigma'(id_t)(\text{"s\_fired"}) \quad (\text{C.22})$$

$$\sigma'(id_t)(\text{"s\_fired"}) = \sigma'(id_t)(\text{"s\_firable"}) \cdot \sigma'(id_t)(\text{"s\_priority\_combination"}) \quad (\text{C.23})$$

Rewriting the goal with (C.20), (C.35), (C.22) and (C.23),

$$s'.reset_t(t) = \sigma'(id_t)(\text{"s\_firable"}) \cdot \sigma'(id_t)(\text{"s\_priority\_combination"}).$$

By property of the stabilize relation, and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ :

$$\sigma'(id_t)(\text{"spc"}) = \prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"priority\_authorizations"})[i] \quad (\text{C.24})$$

By construction,  $\langle \text{priority\_authorizations}(0) \Rightarrow \text{true} \rangle \in ipm_t$ , and by property of the stabilize relation and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ :

$$\sigma'(id_t)(\text{"priority\_authorizations"})[0] = \text{true} \quad (\text{C.25})$$

Rewriting the goal with (C.19), (C.24) and (C.25), and simplifying the equation,

$$s'.reset_t(t) = \sigma'(id_t)(\text{"s\_firable"}).$$

Case analysis on  $t \in Fired(s)$  or  $t \notin Fired(s)$ :

- **CASE**  $t \in Fired(s)$ :

By property of  $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$ :

$$s'.reset_t(t) = \text{true} \quad (\text{C.26})$$

Rewriting the goal with (C.26),  $\boxed{\sigma'(id_t)(\text{"s\_firable"}) = \text{true.}}$

By property of the stabilize, the  $\mathcal{H}$ -VHDL rising edge and the  $\text{Inject}_\uparrow$  relations, and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ :

$$\sigma(id_t)(\text{"s\_firable"}) = \sigma'(id_t)(\text{"s\_firable"}) \quad (\text{C.27})$$

Rewriting the goal with (C.27),  $\boxed{\sigma(id_t)(\text{"s\_firable"}) = \text{true.}}$

By property of  $\gamma \vdash s \xrightarrow{\downarrow} \sigma$ :

$$t \in \text{Firable}(s) \Leftrightarrow \sigma(id_t)(\text{"sfa"}) = \text{true} \quad (\text{C.28})$$

Rewriting the goal with (C.28),  $\boxed{t \in \text{Firable}(s).}$

By property of  $t \in \text{Fired}(s)$ ,  $\boxed{t \in \text{Firable}(s).}$

- **CASE**  $t \notin \text{Fired}(s)$ :

By property of  $\text{input}(t) = \emptyset$ , there does not exist any input place connected to  $t$  by a basic or test arc. Thus, by property of  $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$ :

$$s'.reset_t(t) = \text{false} \quad (\text{C.29})$$

Rewriting the goal with (C.29),  $\boxed{\sigma'(id_t)(\text{"s\_firable"}) = \text{false.}}$

By property of the stabilize, the  $\mathcal{H}$ -VHDL rising edge and the  $\text{Inject}_\uparrow$  relations, and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , equation (C.27) holds.

Rewriting the goal with (C.27),  $\boxed{\sigma(id_t)(\text{"s\_firable"}) = \text{false.}}$

By property of  $\gamma \vdash s \xrightarrow{\downarrow} \sigma$ :

$$t \notin \text{Firable}(s) \Leftrightarrow \sigma(id_t)(\text{"sfa"}) = \text{false} \quad (\text{C.30})$$

By property of  $t \notin \text{Fired}(s)$  and  $\text{input}(t) = \emptyset$ ,  $\boxed{t \notin \text{Firable}(s).}$

- **CASE**  $\text{input}(t) \neq \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow |\text{input}(t)| \rangle \in gm_t$ , and by property of the  $\mathcal{H}$ -VHDL elaboration relation:

$$\Delta(id_t)(\text{"ian"}) = |\text{input}(t)| \quad (\text{C.31})$$

Rewriting the goal with (C.31),  $\boxed{s'.reset_t(t) = \sum_{i=0}^{|\text{input}(t)|-1} \sigma'(id_t)(\text{"rt"})[i].}$

Case analysis on  $t \in \text{Fired}(s)$  or  $t \notin \text{Fired}(s)$ :

- **CASE**  $t \in Fired(s)$ :

By property of  $E_c$ ,  $\tau \vdash s \xrightarrow{\uparrow} s'$ , equation (C.26) holds.

Rewriting the goal with (C.26),  $\sum_{i=0}^{|input(t)|-1} \sigma'(id_t)(rt)[i] = \text{true}$ .

To prove the goal, let us show  $\exists i \in [0, |input(t)| - 1] \text{ s.t. } \sigma'(id_t)(rt)[i] = \text{true}$ .

By construction, and  $input(t) \neq \emptyset$ , there exist  $p \in input(t)$  and  $id_p \in Comps(\Delta)$  s.t.  $\gamma(p) = id_p$ .

By definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ . By construction, there exist an  $i \in [0, |input(t)| - 1]$ , a  $j \in [0, |output(p)| - 1]$  and  $id_{ji} \in Sigs(\Delta)$  s.t.  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and

$\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ . Let us take such an  $i, j$  and  $id_{ji}$ , and let us use  $i$  to prove the goal:  $\sigma'(id_t)(rt)[i] = \text{true}$ .

By property of the stabilize relation,  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ :

$$\sigma'(id_t)(rt)[i] = \sigma'(id_{ji}) = \sigma'(id_p)(rtt)[j] \quad (\text{C.32})$$

Rewriting the goal with (C.32),  $\sigma'(id_p)(rtt)[j] = \text{true}$ .

By property of the  $\text{Inject}_\uparrow$ , the  $\mathcal{H}$ -VHDL rising edge and the stabilize relations:

$$\begin{aligned} \sigma'(id_p)(rtt)[j] &= ((\sigma(id_p)(oat)[j] = \text{BASIC} + \sigma(id_p)(oat)[j] = \text{TEST}) \\ &\quad \cdot (\sigma(id_p)(sm) - \sigma(id_p)(sots) < \sigma(id_p)(oaw)[j])) \\ &\quad \cdot (\sigma(id_p)(sots) > 0)) \\ &\quad + \sigma(id_p)(otf)[j] \end{aligned} \quad (\text{C.33})$$

Rewriting the goal with (C.33),

$$\begin{aligned} \text{true} &= ((\sigma(id_p)(oat)[j] = \text{BASIC} + \sigma(id_p)(oat)[j] = \text{TEST}) \\ &\quad \cdot (\sigma(id_p)(sm) - \sigma(id_p)(sots) < \sigma(id_p)(oaw)[j])) \\ &\quad \cdot (\sigma(id_p)(sots) > 0)) \\ &\quad + (\sigma(id_p)(otf)[j]) \end{aligned}$$

By construction, there exists  $id_{ft} \in Sigs(\Delta)$  s.t.  $\langle \text{output\_transitions\_ fired}(j) \Rightarrow id_{ft} \rangle \in ipm_p$  and  $\langle \text{fired} \Rightarrow id_{ft} \rangle \in opm_t$ . By property of state  $\sigma$  as being a stable state:

$$\sigma(id_t)(fired) = \sigma(id_{ft}) = \sigma(id_p)(otf)[j] \quad (\text{C.34})$$

Rewriting the goal with (C.34),

$$\begin{aligned} \text{true} = & ((\sigma(id_p)(\text{"oat"})[j] = \text{BASIC} + \sigma(id_p)(\text{"oat"})[j] = \text{TEST}) \\ & \cdot (\sigma(id_p)(\text{"sm"}) - \sigma(id_p)(\text{"sots"}) < \sigma(id_p)(\text{"oaw"})[j]) \\ & \cdot (\sigma(id_p)(\text{"sots"}) > 0)) \\ & + \sigma(id_t)(\text{"fired"}) \end{aligned}$$

By property of  $\gamma \vdash s \xrightarrow{\downarrow} \sigma$ :

$$t \in Fired(s) \Leftrightarrow \sigma(id_t)(\text{"fired"}) = \text{true} \quad (\text{C.35})$$

Knowing that  $t \in Fired(s)$ , we can rewrite the goal with the right side of (C.35) and simplify the goal (i.e.,  $\forall b \in \mathbb{B}, b + \text{true} = \text{true}$ ), then **tautology**.

- **CASE**  $t \notin Fired(s)$ : Then, there are two cases that will determine the value of  $s'.reset_t(t)$ . Either there exists a place  $p$  with an output token sum greater than zero, that is connected to  $t$  by an `basic` or `test` arc, and such that the transient marking of  $p$  disables  $t$ ; or such a place does not exist (the predicate is decidable).

\* **CASE** there exists such a place  $p$  as described above:

Then, let us take such a place  $p$  and  $\omega \in \mathbb{N}^*$  s.t.:

1.  $\sum_{t_i \in Fired(s)} pre(p, t_i) > 0$
2.  $pre(p, t) = (\omega, \text{basic}) \vee pre(p, t) = (\omega, \text{test})$
3.  $s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) < \omega$

We will only consider the case where  $pre(p, t) = (\omega, \text{basic})$ ; the proof is the similar when  $pre(p, t) = (\omega, \text{test})$ .

Assuming that  $p$  exists, and by property of  $\gamma \vdash s \xrightarrow{\downarrow} \sigma$ :

$$s'.reset_t(t) = \text{true} \quad (\text{C.36})$$

Rewriting the goal with (C.36),  $\sum_{i=0}^{|input(t)|-1} \sigma'(id_t)(\text{"rt"})[i] = \text{true}$ .

To prove the goal, let us show  $\exists i \in [0, |input(t)| - 1] \text{ s.t. } \sigma'(id_t)(\text{"rt"})[i] = \text{true}$ .

By construction, there exists  $id_p \in Comps(\Delta)$  s.t.  $\gamma(p) = id_p$ .

By definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ . By construction, there exist an  $i \in [0, |input(t)| - 1]$ , a  $j \in [0, |output(p)| - 1]$  and  $id_{ji} \in Sigs(\Delta)$  s.t.  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and

$\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ . Let us take such an  $i, j$  and  $id_{ji}$ , and let us use  $i$  to prove the goal:  $\sigma'(id_t)(\text{"rt"})[i] = \text{true}$ .

By property of the stabilize relation,  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ :

$$\sigma'(id_t)(\text{"rt"})[i] = \sigma'(id_{ji}) = \sigma'(id_p)(\text{"rtt"})[j] \quad (\text{C.37})$$

Rewriting the goal with (C.37),  $\boxed{\sigma'(id_p)(“rtt”)[j] = \text{true.}}$

By property of the  $\text{Inject}_{\uparrow}$ , the  $\mathcal{H}$ -VHDL rising edge and the stabilize relations:

$$\begin{aligned} \sigma'(id_p)(“rtt”)[j] &= ((\sigma(id_p)(“oat”)[j] = \text{BASIC} + \sigma(id_p)(“oat”)[j] = \text{TEST}) \\ &\quad \cdot (\sigma(id_p)(“sm”) - \sigma(id_p)(“sots”) < \sigma(id_p)(“oaw”)[j])) \\ &\quad \cdot (\sigma(id_p)(“sots”) > 0)) \\ &\quad + \sigma(id_p)(“otf”)[j] \end{aligned} \quad (\text{C.38})$$

Rewriting the goal with (C.38),

$$\begin{aligned} \text{true} &= ((\sigma(id_p)(“oat”)[j] = \text{BASIC} + \sigma(id_p)(“oat”)[j] = \text{TEST}) \\ &\quad \cdot (\sigma(id_p)(“sm”) - \sigma(id_p)(“sots”) < \sigma(id_p)(“oaw”)[j])) \\ &\quad \cdot (\sigma(id_p)(“sots”) > 0)) \\ &\quad + \sigma(id_p)(“otf”)[j] \end{aligned}$$

By construction,  $\langle \text{output\_arcs\_types}(j) \Rightarrow \text{BASIC} \rangle \in ipm_p$  and  $\langle \text{output\_arcs\_weights}(j) \Rightarrow \omega \rangle \in ipm_p$ .

By property of the stabilize relation and  $\text{comp}(id_p, “place”, gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma'(id_p)(“oat”)[j] = \text{BASIC} \quad (\text{C.39})$$

$$\sigma'(id_p)(“oaw”)[j] = \omega \quad (\text{C.40})$$

By property of  $\gamma \vdash s \stackrel{\downarrow}{\sim} \sigma$ :

$$\sigma(id_p)(“sm”) = s.M(p) \quad (\text{C.41})$$

$$\sigma(id_p)(“sots”) = \sum_{t_i \in Fired(s)} pre(p, t_i) \quad (\text{C.42})$$

Rewriting the goal with (C.39), (C.40), (C.41) and (C.42), and simplifying the goal:

$$(s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) < \omega \cdot \sum_{t_i \in Fired(s)} pre(p, t_i) > 0) + \sigma(id_t)(“fired”) = \text{true}$$

Thanks to the hypotheses 1 and 3:

$$s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) < \omega = \text{true} \quad (\text{C.43})$$

$$\sum_{t_i \in Fired(s)} pre(p, t_i) > 0 = \text{true} \quad (\text{C.44})$$

$$(\text{C.45})$$

Rewriting the goal with (C.43) and (C.44), and simplifying the goal, tautology.

\* CASE such a place does not exist:

Then, let us assume that, for all place  $p \in P$

$$1. \quad \sum_{t_i \in Fired(s)} pre(p, t_i) = 0$$

2. or  $\forall \omega \in \mathbb{N}^*, pre(p, t) = (\omega, \text{basic}) \vee pre(p, t) = (\omega, \text{test}) \Rightarrow s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) \geq \omega$ .

In that case, by property of  $\gamma \vdash s \stackrel{\downarrow}{\sim} \sigma$ :

$$s'.reset_t(t) = \text{false} \quad (\text{C.46})$$

Rewriting the goal with (C.46):  $\sum_{i=0}^{|input(t)|-1} \sigma'(id_t)(rt)[i] = \text{false}$ .

To prove the goal, let us show  $\forall i \in [0, |input(t)| - 1], \sigma'(id_t)(rt)[i] = \text{false}$ .

Given an  $i \in [0, |input(t)| - 1]$ , let us show  $\sigma'(id_t)(rt)[i] = \text{false}$ .

By construction, there exist a  $p \in input(t)$ , an  $id_p \in Comps(\Delta)$ ,  $gm_p, ipm_p, opm_p$ , a  $j \in [0, |output(p)| - 1]$ , an  $id_{ji} \in Sigs(\Delta)$  s.t.  $\gamma(p) = id_p$  and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$  and  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ . Let us take such a  $p, id_p, gm_p, ipm_p, opm_p, j$  and  $id_{ji}$ .

By property of the stabilize relation,  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ :

$$\sigma'(id_t)(rt)[i] = \sigma'(id_{ji}) = \sigma'(id_p)(rtt)[j] \quad (\text{C.47})$$

Rewriting the goal with (C.47):  $\sigma'(id_p)(rtt)[j] = \text{false}$ .

By property of the  $\text{Inject}_\uparrow$ , the  $\mathcal{H}$ -VHDL rising edge and the stabilize relations:

$$\begin{aligned} \sigma'(id_p)(rtt)[j] = & ((\sigma(id_p)(oat)[j] = \text{BASIC} + \sigma(id_p)(oat)[j] = \text{TEST}) \\ & .(\sigma(id_p)(sm) - \sigma(id_p)(sots) < \sigma(id_p)(oaw)[j]) \\ & .(\sigma(id_p)(sots) > 0)) \\ & + \sigma(id_p)(otf)[j] \end{aligned} \quad (\text{C.48})$$

Rewriting the goal with (C.48),

$$\begin{aligned} \text{false} = & ((\sigma(id_p)(oat)[j] = \text{BASIC} + \sigma(id_p)(oat)[j] = \text{TEST}) \\ & .(\sigma(id_p)(sm) - \sigma(id_p)(sots) < \sigma(id_p)(oaw)[j]) \\ & .(\sigma(id_p)(sots) > 0)) \\ & + \sigma(id_p)(otf)[j] \end{aligned}$$

By construction, there exists  $id_{ft} \in Sigs(\Delta)$  s.t.  $\langle \text{output\_transitions\_fired}(j) \Rightarrow id_{ft} \rangle \in ipm_p$  and  $\langle \text{fired} \Rightarrow id_{ft} \rangle \in opm_t$ . By property of state  $\sigma$  as being a stable state:

$$\sigma(id_t)(fired) = \sigma(id_{ft}) = \sigma(id_p)(otf)[j] \quad (\text{C.49})$$

Rewriting the goal with (C.49),

$$\begin{aligned} \text{false} = & ((\sigma(id_p)(\text{"oat"})[j] = \text{BASIC} + \sigma(id_p)(\text{"oat"})[j] = \text{TEST}) \\ & \cdot (\sigma(id_p)(\text{"sm"}) - \sigma(id_p)(\text{"sots"}) < \sigma(id_p)(\text{"oaw"})[j]) \\ & \cdot (\sigma(id_p)(\text{"sots"}) > 0)) \\ & + \sigma(id_t)(\text{"fired"}) \end{aligned}$$

By property of  $\gamma \vdash s \stackrel{\downarrow}{\sim} \sigma$ :

$$t \notin Fired(s) \Leftrightarrow \sigma(id_t)(\text{"fired"}) = \text{false} \quad (\text{C.50})$$

Knowing that  $t \notin Fired(s)$ , we can rewrite the goal with the right side of (C.50) and simplify the goal (i.e.,  $\forall b \in \mathbb{B}, b + \text{false} = b$ ):

$$\begin{aligned} \text{false} = & ((\sigma(id_p)(\text{"oat"})[j] = \text{BASIC} + \sigma(id_p)(\text{"oat"})[j] = \text{TEST}) \\ & \cdot (\sigma(id_p)(\text{"sm"}) - \sigma(id_p)(\text{"sots"}) < \sigma(id_p)(\text{"oaw"})[j]) \\ & \cdot (\sigma(id_p)(\text{"sots"}) > 0)) \end{aligned}$$

Then, there are two cases:

1. **CASE**  $\sum_{t_i \in Fired(s)} pre(p, t_i) = 0$ :

By property of  $\gamma \vdash s \stackrel{\downarrow}{\sim} \sigma$ :

$$\sum_{t_i \in Fired(s)} pre(p, t_i) = \sigma(id_p)(\text{"sots"}) \quad (\text{C.51})$$

Rewriting the goal with (C.51) and  $\sum_{t_i \in Fired(s)} pre(p, t_i) = 0$ , simplifying the goal: **tautology**.

2. **CASE**  $\forall \omega \in \mathbb{N}^*, pre(p, t) = (\omega, \text{basic}) \vee pre(p, t) = (\omega, \text{test}) \Rightarrow s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) \geq \omega$ :

Let us perform case analysis on  $pre(p, t)$ ; there are two cases:

- (a) **CASE**  $pre(p, t) = (\omega, \text{basic})$  or  $pre(p, t) = (\omega, \text{test})$ :

By construction,  $\langle \text{output\_arcs\_weights}(j) \Rightarrow \omega \rangle \in ipm_p$ .

By property of stable state  $\sigma$  and  $\text{comp}(id_p, \text{"place"}, gmp_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma(id_p)(\text{"oaw"})[j] = \omega \quad (\text{C.52})$$

By property of  $\gamma \vdash s \stackrel{\downarrow}{\sim} \sigma$ :

$$\sigma(id_p)(\text{"sm"}) = s.M(p) \quad (\text{C.53})$$

$$\sigma(id_p)(\text{"sots"}) = \sum_{t_i \in Fired(s)} pre(p, t_i) \quad (\text{C.54})$$

By hypothesis, we know that  $s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) \geq \omega$ , and then we can deduce:

$$s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) < \omega = \text{false} \quad (\text{C.55})$$

Rewriting the goal with (C.52), (C.53), (C.54), and (C.55), and simplifying the goal, tautology.

(b) CASE  $pre(p, t) = (\omega, \text{inhib})$ :

By construction,  $\langle \text{output\_arcs\_types}(j) \Rightarrow \text{INHIB} \rangle \in ipm_p$ .

By property of stable state  $\sigma$  and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma(id_p)(\text{"oat"})[j] = \text{INHIB} \quad (\text{C.56})$$

Rewriting the goal with (C.56), and simplifying the goal, tautology.

□

### C.3.5 Rising edge and action executions

**Lemma 27** (Rising Edge Equal Action Executions). *For all  $sitpn, d, \gamma, E_c, E_p, \tau, \Delta, \sigma_e, s, s', \sigma, \sigma_i, \sigma_\uparrow, \sigma'$  that verify the hypotheses of Def. 12, then*

$$\forall a \in \mathcal{A}, id_a \in Outs(\Delta) \text{ s.t. } \gamma(a) = id_a, s'.ex(a) = \sigma'(id_a).$$

*Proof.* Given an  $a \in \mathcal{A}$  and an  $id_a \in Outs(\Delta)$  s.t.  $\gamma(a) = id_a$ , let us show  $s'.ex(a) = \sigma'(id_a)$ .

By property of  $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$ :

$$s.ex(a) = s'.ex(a) \quad (\text{C.57})$$

By construction,  $id_a$  is an output port identifier of boolean type in the  $\mathcal{H}$ -VHDL design  $d$  assigned by the “action” process only during a falling edge phase.

By property of the  $\mathcal{H}$ -VHDL  $\text{Inject}_\uparrow$ , rising edge, stabilize relations, and the “action” process:

$$\sigma(id_a) = \sigma'(id_a) \quad (\text{C.58})$$

Rewriting the goal with (C.57) and (C.58),  $s'.ex(a) = \sigma(id_a)$ .

By property of  $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$ ,  $s'.ex(a) = \sigma(id_a)$ .

□

### C.3.6 Rising edge and function executions

**Lemma 28** (Rising Edge Equal Function Executions). *For all  $sitpn, d, \gamma, E_c, E_p, \tau, \Delta, \sigma_e, s, s', \sigma, \sigma_i, \sigma_\uparrow, \sigma'$  that verify the hypotheses of Def. 12, then*

$$\forall f \in \mathcal{F}, id_f \in Outs(\Delta) \text{ s.t. } \gamma(f) = id_f, s'.ex(f) = \sigma'(id_f).$$

*Proof.* Given an  $f \in \mathcal{F}$  and an  $id_f \in Outs(\Delta)$  s.t.  $\gamma(f) = id_f$ , let us show  $s'.ex(f) = \sigma'(id_f)$ .

By property of  $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$ :

$$s'.ex(f) = \sum_{t \in Fired(s)} \mathbb{F}(t, f) \quad (\text{C.59})$$

By construction, the “function” process is a part of design  $d$ ’s behavior, i.e  $\text{ps}("function", \emptyset, sl, ss) \in d.cs$ .

By construction  $\text{id}_f$  is an output port of design  $d$ , and it is only assigned in the body of the “function” process. Let  $\text{trs}(f)$  be the set of transitions associated to function  $f$ , i.e  $\text{trs}(f) = \{t \in T \mid \mathbb{F}(t, f) = \text{true}\}$ . Then, depending on  $\text{trs}(f)$ , there are two cases of assignment of output port  $\text{id}_f$ :

- **CASE**  $\text{trs}(f) = \emptyset$ :

By construction,  $\text{id}_f \Leftarrow \text{false} \in ss_{\uparrow}$  where  $ss_{\uparrow}$  is the part of the “function” process body executed during the rising edge phase.

By property of the  $\mathcal{H}$ -VHDL rising edge, the stabilize relations and  $\text{ps}("function", \emptyset, sl, ss) \in d.cs$ :

$$\sigma'(\text{id}_f) = \text{false} \quad (\text{C.60})$$

By property of  $\sum_{t \in \text{ Fired}(s)} \mathbb{F}(t, f)$  and  $\text{trs}(f) = \emptyset$ :

$$\sum_{t \in \text{ Fired}(s)} \mathbb{F}(t, f) = \text{false} \quad (\text{C.61})$$

Rewriting the goal with (C.59), (C.60) and (C.61), tautology.

- **CASE**  $\text{trs}(f) \neq \emptyset$ :

By construction,  $\text{id}_f \Leftarrow \text{id}_{ft_0} + \dots + \text{id}_{ft_n} \in ss_{\uparrow}$ , where  $\text{id}_{ft_i} \in \text{Sigs}(\Delta)$ ,  $ss_{\uparrow}$  is the part of the “function” process body executed during the rising edge phase, and  $n = |\text{trs}(f)| - 1$ .

By property of the  $\text{Inject}_{\uparrow}$ , the  $\mathcal{H}$ -VHDL rising edge, the stabilize relations, and  $\text{ps}("function", \emptyset, sl, ss) \in d.cs$ :

$$\sigma'(\text{id}_f) = \sigma(\text{id}_{ft_0}) + \dots + \sigma(\text{id}_{ft_n}) \quad (\text{C.62})$$

Rewriting the goal with (C.59) and (C.62),  $\boxed{\sum_{t \in \text{ Fired}(s)} \mathbb{F}(t, f) = \sigma(\text{id}_{ft_0}) + \dots + \sigma(\text{id}_{ft_n})}$

Let us reason on the value of  $\sigma(\text{id}_{ft_0}) + \dots + \sigma(\text{id}_{ft_n})$ ; there are two cases:

- **CASE**  $\sigma(\text{id}_{ft_0}) + \dots + \sigma(\text{id}_{ft_n}) = \text{true}$ :

Then, we can rewrite the goal as follows:  $\boxed{\sum_{t \in \text{ Fired}(s)} \mathbb{F}(t, f) = \text{true.}}$

To prove the above goal, let us show  $\boxed{\exists t \in \text{ Fired}(s) \text{ s.t. } \mathbb{F}(t, f) = \text{true.}}$

Knowing that  $\sigma(\text{id}_{ft_0}) + \dots + \sigma(\text{id}_{ft_n}) = \text{true}$ , then  $\exists \text{id}_{ft_i} \text{ s.t. } \sigma(\text{id}_{ft_i}) = \text{true}$ . Let us take such an  $\text{id}_{ft_i}$ .

By construction, for all  $\text{id}_{ft_i}$ , there exist a  $t_i \in \text{trs}(f)$ , an  $\text{id}_{t_i} \in \text{Comps}(\Delta)$ ,  $gm_{t_i}$ ,  $ipm_{t_i}$  and  $opm_{t_i}$  s.t.  $\gamma(t_i) = \text{id}_{t_i}$  and  $\text{comp}(\text{id}_{t_i}, "transition", gm_{t_i}, ipm_{t_i}, opm_{t_i}) \in d.cs$  and  $\langle \text{fire} \Rightarrow \text{id}_{ft_i} \rangle \in opm_{t_i}$ . Let us take such a  $t_i$ ,  $\text{id}_{t_i}$ ,  $gm_{t_i}$ ,  $ipm_{t_i}$  and  $opm_{t_i}$ .

By property of  $\sigma$  as being a stable design state, and  $\text{comp}(\text{id}_{t_i}, "transition", gm_{t_i}, ipm_{t_i}, opm_{t_i}) \in d.cs$ :

$$\sigma(\text{id}_{t_i})(“fired”) = \sigma(\text{id}_{ft_i}) \quad (\text{C.63})$$

Thanks to (C.63) and  $\sigma(id_{ft_i}) = \text{true}$ , we can deduce that  $\sigma(id_{t_i})(\text{"fired"}) = \text{true}$ .

By property of  $\gamma \vdash s \stackrel{\downarrow}{\sim} \sigma$ :

$$t_i \in Fired(s) \Leftrightarrow \sigma(id_{t_i})(\text{"fired"}) = \text{true} \quad (\text{C.64})$$

Thanks to (C.64), we can deduce  $t_i \in Fired(s)$ .

Let us use  $t_i$  to prove the goal:  $\boxed{\mathbb{F}(t, f) = \text{true}}$ .

By definition of  $t_i \in \text{trs}(f)$ ,  $\boxed{\mathbb{F}(t, f) = \text{true}}$ .

- **CASE**  $\sigma(id_{ft_0}) + \dots + \sigma(id_{ft_n}) = \text{false}$ :

Then, we can rewrite the goal as follows:  $\boxed{\sum_{t \in Fired(s)} \mathbb{F}(t, f) = \text{false}}$

To prove the above goal, let us show  $\boxed{\forall t \in Fired(s) \text{ s.t. } \mathbb{F}(t, f) = \text{false}}$ .

Given a  $t \in Fired(s)$ , let us show  $\boxed{\mathbb{F}(t, f) = \text{false}}$ .

Let us perform case analysis on  $\mathbb{F}(t, f)$ ; there are 2 cases:

\* **CASE**  $\boxed{\mathbb{F}(t, f) = \text{false}}$ .

\* **CASE**  $\boxed{\mathbb{F}(t, f) = \text{true}}$ :

By construction, for all  $t \in T$  s.t.  $\mathbb{F}(t, f) = \text{true}$ , there exist an  $id_t \in \text{Comps}(\Delta)$ ,  $gm_t, ipm_t, opm_t$  and  $id_{ft_i} \in \text{Sigs}(\Delta)$  s.t.  $\gamma(t) = id_t$  and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$  and  $\langle \text{fired} \Rightarrow id_{ft_i} \rangle \in opm_t$ . Let us take such a  $id_t, gm_t, ipm_t, opm_t$  and  $id_{ft_i}$ .

By property of stable design state  $\sigma$  and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , equation (C.63) holds.

By property of  $\gamma \vdash s \stackrel{\downarrow}{\sim} \sigma$ , equation (C.64) holds.

Thanks to (C.63) and (C.64), we can deduce that  $\sigma(id_{ft_i}) = \text{true}$ .

Then,  $\sigma(id_{ft_i}) = \text{true}$  contradicts  $\sigma(id_{ft_0}) + \dots + \sigma(id_{ft_n}) = \text{false}$ .

□

### C.3.7 Rising edge and sensitization

**Lemma 29** (Rising Edge Equal Sensitized). *For all  $sitpn, d, \gamma, E_c, E_p, \tau, \Delta, \sigma_e, s, s', \sigma, \sigma_i, \sigma_\uparrow, \sigma'$  that verify the hypotheses of Def. 12, then*

$\forall t \in T, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in \text{Sens}(s'.M) \Leftrightarrow \sigma'(id_t)(\text{"s_enabled"}) = \text{true}$ .

*Proof.* Given a  $t \in T$  and an  $id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show

$$\boxed{t \in \text{Sens}(s'.M) \Leftrightarrow \sigma'(id_t)(\text{"s_enabled"}) = \text{true}}$$

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ . Then, the proof is in two parts:

1. Assuming that  $t \in \text{Sens}(s'.M)$ , let us show  $\boxed{\sigma'(id_t)(\text{"s_enabled"}) = \text{true}}$ .

By property of the stabilize relation and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ :

$$\sigma'(id_t)(\text{"se"}) = \prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"input_arcs_valid"})[i] \quad (\text{C.65})$$

Rewriting the goal with (C.65),  $\prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"iav"})[i] = \text{true}$ .

To prove the goal, let us show that  $\forall i \in [0, \Delta(id_t)(\text{"ian"}) - 1], \sigma'(id_t)(\text{"iav"})[i] = \text{true}$ .

Given an  $i \in [0, \Delta(id_t)(\text{"ian"}) - 1]$ , let us show  $\sigma'(id_t)(\text{"iav"})[i] = \text{true}$ .

Let us perform case analysis on  $\text{input}(t)$ .

- **CASE**  $\text{input}(t) = \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow 1 \rangle \in gm_t$  and  $\langle \text{input\_arcs\_valid}(0) \Rightarrow \text{true} \rangle \in ipm_t$ .

By property of the elaboration and stabilize relations and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ :

$$\Delta(id_t)(\text{"ian"}) = 1 \quad (\text{C.66})$$

$$\sigma'(id_t)(\text{"iav"})[0] = \text{true} \quad (\text{C.67})$$

Thanks to (C.66), we can deduce that  $i = 0$ . Rewriting the goal with (C.67), tautology.

- **CASE**  $\text{input}(t) \neq \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow |\text{input}(t)| \rangle \in gm_t$ .

By property of the elaboration relation and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ :

$$\Delta(id_t)(\text{"ian"}) = |\text{input}(t)| \quad (\text{C.68})$$

Thanks to (C.68), we know that  $i \in [0, |\text{input}(t)| - 1]$ .

By construction, there exist a  $p \in \text{input}(t)$ ,  $id_p \in \text{Comps}(\Delta)$ ,  $gm_p, ipm_p, opm_p, j \in [0, |\text{output}(p)| - 1]$  and  $id_{ji} \in Sigs(\Delta)$  s.t.  $\gamma(p) = id_p$  and  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$  and  $\langle \text{output\_arcs\_valid}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{input\_arcs\_valid}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ .

By property of the stabilize relation,  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$  and  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma'(id_t)(\text{"iav"})[i] = \sigma'(id_{ji}) = \sigma'(id_p)(\text{"oav"})[j] \quad (\text{C.69})$$

Rewriting the goal with (C.69),  $\sigma'(id_p)(\text{"oav"})[j] = \text{true}$ .

By property of the stabilize relation and  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ :

$$\begin{aligned} \sigma'(id_p)(\text{"oav"})[j] &= ((\sigma'(id_p)(\text{"oat"})[j] = \text{BASIC} + \sigma'(id_p)(\text{"oat"})[j] = \text{TEST}) \\ &\quad \cdot \sigma'(id_p)(\text{"sm"}) \geq \sigma'(id_p)(\text{"oaw"})[j]) \\ &\quad + (\sigma'(id_p)(\text{"oat"})[j] = \text{INHIB} \cdot \sigma'(id_p)(\text{"sm"}) < \sigma'(id_p)(\text{"oaw"})[j]) \end{aligned} \quad (\text{C.70})$$

Rewriting the goal with (C.70),

$$\begin{aligned} \text{true} = & ((\sigma'(id_p)(\text{"oat"})[j] = \text{BASIC} + \sigma'(id_p)(\text{"oat"})[j] = \text{TEST}) \\ & \cdot \sigma'(id_p)(\text{"sm"}) \geq \sigma'(id_p)(\text{"oaw"})[j]) \\ & + (\sigma'(id_p)(\text{"oat"})[j] = \text{INHIB} \cdot \sigma'(id_p)(\text{"sm"}) < \sigma'(id_p)(\text{"oaw"})[j]) \end{aligned}$$

Let us perform case analysis on  $\text{pre}(p, t)$ ; there are 3 cases:

- **CASE  $\text{pre}(p, t) = (\omega, \text{BASIC})$ :**

By construction,  $\langle \text{output\_arcs\_types}(j) \Rightarrow \text{BASIC} \rangle \in ipm_p$  and  $\langle \text{output\_arcs\_weights}(j) \Rightarrow \omega \rangle \in ipm_p$ .

By property of the stabilize relation and  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma'(id_p)(\text{"oat"})[j] = \text{BASIC} \quad (\text{C.71})$$

$$\sigma'(id_p)(\text{"oaw"})[j] = \omega \quad (\text{C.72})$$

Rewriting the goal with (C.71) and (C.72), and simplifying the goal:

$$\boxed{\sigma'(id_p)(\text{"sm"}) \geq \omega = \text{true.}}$$

Appealing to Lemma **Rising Edge Equal Marking**:

$$s'.M(p) = \sigma'(id_p)(\text{"sm"}) \quad (\text{C.73})$$

Rewriting the goal with (C.73):  $\boxed{s'.M(p) \geq \omega = \text{true.}}$

By definition of  $t \in \text{Sens}(s'.M)$ ,  $\boxed{s'.M(p) \geq \omega = \text{true.}}^1$

- **CASE  $\text{pre}(p, t) = (\omega, \text{TEST})$ :** same as the preceding case.

- **CASE  $\text{pre}(p, t) = (\omega, \text{INHIB})$ :**

By construction,  $\langle \text{output\_arcs\_types}(j) \Rightarrow \text{INHIB} \rangle \in ipm_p$  and

$\langle \text{output\_arcs\_weights}(j) \Rightarrow \omega \rangle \in ipm_p$ .

By property of the stabilize relation and  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma'(id_p)(\text{"oat"})[j] = \text{INHIB} \quad (\text{C.74})$$

$$\sigma'(id_p)(\text{"oaw"})[j] = \omega \quad (\text{C.75})$$

Rewriting the goal with (C.74) and (C.75), and simplifying the goal:

$$\boxed{\sigma'(id_p)(\text{"sm"}) < \omega = \text{true.}}$$

Appealing to Lemma **Rising Edge Equal Marking**, equation (C.73) holds.

Rewriting the goal with (C.73):  $\boxed{s'.M(p) < \omega = \text{true.}}$

By definition of  $t \in \text{Sens}(s'.M)$ ,  $\boxed{s'.M(p) < \omega = \text{true.}}$

2. Assuming that  $\sigma'(id_t)(\text{"s\_enabled"}) = \text{true}$ , let us show  $\boxed{t \in \text{Sens}(s'.M).}$

<sup>1</sup>Here  $\geq$  denotes a boolean operator, i.e  $\geq \in \mathbb{N} \rightarrow \mathbb{N} \rightarrow \mathbb{B}$ . As the  $\geq \subseteq (\mathbb{N} \times \mathbb{N})$  relation is decidable for all pairs of natural numbers, we can interchange an expression  $a \geq b = \text{true}$  with  $a \geq b$  where  $a, b \in \mathbb{N}$ .

By definition of  $t \in \text{Sens}(s'.M)$ , let us show

$$\boxed{\forall p \in P, \omega \in \mathbb{N}^*, (\text{pre}(p, t) = (\omega, \text{basic}) \vee \text{pre}(p, t) = (\omega, \text{test})) \Rightarrow s'.M(p) \geq \omega \wedge (\text{pre}(p, t) = (\omega, \text{inhib}) \Rightarrow s'.M(p) < \omega)}$$

Given a  $p \in P$  and an  $\omega \in \mathbb{N}^*$ , let us show

$$\boxed{\text{pre}(p, t) = (\omega, \text{basic}) \vee \text{pre}(p, t) = (\omega, \text{test}) \Rightarrow s'.M(p) \geq \omega} \text{ and}$$

$$\boxed{\text{pre}(p, t) = (\omega, \text{inhib}) \Rightarrow s'.M(p) < \omega.}$$

(a) Assuming  $\text{pre}(p, t) = (\omega, \text{basic}) \vee \text{pre}(p, t) = (\omega, \text{test})$ , let us show  $\boxed{s'.M(p) \geq \omega.}$

The proceeding is the same for  $\text{pre}(p, t) = (\omega, \text{basic})$  and  $\text{pre}(p, t) = (\omega, \text{test})$ . Therefore, we will only cover the case where  $\text{pre}(p, t) = (\omega, \text{basic})$ .

By property of the stabilize relation and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , equation (C.65) holds.

Rewriting  $\sigma'(id_t)(\text{"se"}) = \text{true}$  with (C.65),  $\prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"input_arcs_valid"})[i] = \text{true.}$

Then, we can deduce that  $\forall i \in [0, \Delta(id_t)(\text{"ian"}) - 1], \sigma'(id_t)(\text{"iav"})[i] = \text{true.}$

By construction, there exist an  $id_p \in \text{Comps}(\Delta), gm_p, ipm_p, opm_p, i \in [0, |\text{input}(t)| - 1], j \in [0, |\text{output}(p)| - 1]$  and  $id_{ji} \in \text{Sigs}(\Delta)$  s.t.  $\gamma(p) = id_p$  and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$  and  $\langle \text{output_arcs_valid}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{input_arcs_valid}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ . Let us take such an  $id_p \in \text{Comps}(\Delta), gm_p, ipm_p, opm_p, i \in [0, |\text{input}(t)| - 1], j \in [0, |\text{output}(p)| - 1]$  and  $id_{ji} \in \text{Sigs}(\Delta)$ .

By construction,  $\langle \text{input_arcs_number} \Rightarrow |\text{input}(t)| \rangle \in gm_t$ .

By property of the elaboration relation and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , equation (C.68) holds.

Thanks to (C.68), we can deduce that  $\forall i \in [0, |\text{input}(t)| - 1], \sigma'(id_t)(\text{"iav"})[i] = \text{true.}$

Having such an  $i \in [0, |\text{input}(t)| - 1]$ , we can deduce that  $\sigma'(id_t)(\text{"iav"})[i] = \text{true.}$

By property of the stabilize relation,  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$  and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , equation (C.69) holds.

Thanks to (C.69), we can deduce that  $\sigma'(id_p)(\text{"oav"})[j] = \text{true.}$

By property of the stabilize relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , equation (C.70) holds. Thanks to (C.70), we can deduce that:

$$\begin{aligned} \text{true} = & ((\sigma'(id_p)(\text{"oat"})[j] = \text{BASIC} + \sigma'(id_p)(\text{"oat"})[j] = \text{TEST}) \\ & \cdot \sigma'(id_p)(\text{"sm"}) \geq \sigma'(id_p)(\text{"oaw"})[j]) \\ & + (\sigma'(id_p)(\text{"oat"})[j] = \text{INHIB} \cdot \sigma'(id_p)(\text{"sm"}) < \sigma'(id_p)(\text{"oaw"})[j]) \end{aligned}$$

By construction,  $\langle \text{output_arcs_types}(j) \Rightarrow \text{BASIC} \rangle \in ipm_p$  and  $\langle \text{output_arcs_weights}(j) \Rightarrow \omega \rangle \in ipm_p$ .

By property of the stabilize relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , equations (C.71) and (C.72) hold.

Thanks to (C.71) and (C.72), we can deduce that  $\sigma'(id_p)(\text{"sm"}) \geq \omega = \text{true.}$

Appealing to Lemma **Rising Edge Equal Marking**,  $s'.M(p) \geq \omega.$

(b) Assuming  $\text{pre}(p, t) = (\omega, \text{inhib})$ , let us show  $s'.M(p) < \omega$ .

The proceeding is the same as the preceding case. Here, we will start the proof where the two cases are diverging, i.e:

By construction,  $\langle \text{output\_arcs\_types}(j) \Rightarrow \text{INHIB} \rangle \in ipm_p$  and  $\langle \text{output\_arcs\_weights}(j) \Rightarrow \omega \rangle \in ipm_p$ .

By property of the stabilize relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , equations (C.74) and (C.72) hold.

Thanks to (C.74) and (C.72), we can deduce that  $\sigma'(id_p)(\text{"sm"}) < \omega = \text{true}$ .

Appealing to Lemma [Rising Edge Equal Marking](#),  $s'.M(p) < \omega$ .

□

**Lemma 30** (Rising Edge Equal Not Sensitized). *For all  $\text{sitpn}, d, \gamma, E_c, E_p, \tau, \Delta, \sigma_e, s, s', \sigma, \sigma_i, \sigma_\uparrow, \sigma'$  that verify the hypotheses of Def. 12, then*

$\forall t \in T, id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t, t \notin \text{Sens}(s'.M) \Leftrightarrow \sigma'(id_t)(\text{"s\_enabled"}) = \text{false}$ .

*Proof.* Proving the above lemma is trivial by appealing to Lemma [Rising Edge Equal Sensitized](#) and by reasoning on contrapositives. □

## C.4 Falling Edge

### C.4.1 Falling Edge and marking

**Lemma 31** (Falling Edge Equal Marking). *For all  $\text{sitpn}, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall p \in P, id_p \in \text{Comps}(\Delta)$  s.t.  $\gamma(p) = id_p, s'.M(p) = \sigma'(id_p)(\text{"s_marking"})$ .*

*Proof.* Given a  $p \in P$  and an  $id \in \text{Comps}(\Delta)$  s.t.  $\gamma(p) = id_p$ , let us show

$s'.M(p) = \sigma'(id_p)(\text{"s_marking"}).$

By definition of  $E_c, \tau \vdash \text{sitpn}, s \xrightarrow{\downarrow} s'$ :

$$s.M(p) = s'.M(p) \quad (\text{C.76})$$

By property of the  $\text{Inject}_\downarrow$  relation, the  $\mathcal{H}$ -VHDL falling edge relation, the stabilize relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma'(id_p)(\text{"s_marking"}) = \sigma(id_p)(\text{"s_marking"}) \quad (\text{C.77})$$

Rewriting the goal with (C.76) and (C.77):  $s.M(p) = \sigma(id_p)(\text{"s_marking"}).$

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\downarrow} \sigma$ :  $s.M(p) = \sigma(id_p)(\text{"s_marking"}).$

□

**Lemma 32** (Falling Edge Equal Output Token Sum). *For all  $\text{sitpn}, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall p, id_p$  s.t.  $\gamma(p) = id_p, \sum_{t \in \text{Fired}(s')} \text{pre}(p, t) = \sigma'(id_p)(\text{"s_output_token_sum"})$ .*

*Proof.* Given a  $p \in P$  and an  $id_p \in Comps(\Delta)$ , let us show

$$\sum_{t \in Fired(s')} pre(p, t) = \sigma'(id_p)(\text{"s\_output\_token\_sum"}).$$

By definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ . By property of the stabilize relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma'(id_p)(\text{"sots"}) = \sum_{i=0}^{\Delta(id_p)(\text{"oan"})-1} \begin{cases} \sigma'(id_p)(\text{"oaw"})[i] \text{ if } (\sigma'(id_p)(\text{"otf"})[i] \\ \quad . \sigma'(id_p)(\text{"oat"})[i] = \text{BASIC}) \\ 0 \text{ otherwise} \end{cases} \quad (\text{C.78})$$

Rewriting the goal with (C.78):

$$\sum_{t \in Fired(s')} pre(p, t) = \sum_{i=0}^{\Delta(id_p)(\text{"oan"})-1} \begin{cases} \sigma'(id_p)(\text{"oaw"})[i] \text{ if } (\sigma'(id_p)(\text{"otf"})[i] \\ \quad . \sigma'(id_p)(\text{"oat"})[i] = \text{BASIC}) \\ 0 \text{ otherwise} \end{cases}$$

Let us unfold the definition of the left sum term:

$$\begin{aligned} \sum_{t \in Fired(s')} & \begin{cases} \omega \text{ if } pre(p, t) = (\omega, \text{basic}) \\ 0 \text{ otherwise} \end{cases} \\ &= \\ \sum_{i=0}^{\Delta(id_p)(\text{"oan"})-1} & \begin{cases} \sigma'(id_p)(\text{"oaw"})[i] \text{ if } (\sigma'(id_p)(\text{"otf"})[i] \\ \quad . \sigma'(id_p)(\text{"oat"})[i] = \text{BASIC}) \\ 0 \text{ otherwise} \end{cases} \end{aligned}$$

To ease the reading, let us define functions  $f \in Fired(s') \rightarrow \mathbb{N}$  and  $g \in [0, |output(p)| - 1] \rightarrow \mathbb{N}$  s.t.

$$f(t) = \begin{cases} \omega \text{ if } pre(p, t) = (\omega, \text{basic}) \\ 0 \text{ otherwise} \end{cases} \quad \text{and } g(i) = \begin{cases} \sigma'(id_p)(\text{"oaw"})[i] \text{ if } (\sigma'(id_p)(\text{"otf"})[i] \\ \quad . \sigma'(id_p)(\text{"oat"})[i] = \text{BASIC}) \\ 0 \text{ otherwise} \end{cases}$$

$$\text{Then, the goal is: } \sum_{t \in Fired(s')} f(t) = \sum_{i=0}^{\Delta(id_p)(\text{"oan"})-1} g(i)$$

Let us perform case analysis on  $output(p)$ ; there are two cases:

1.  $output(p) = \emptyset$ :

By construction,  $\langle output\_arcs\_number \Rightarrow 1 \rangle \in gm_p, \langle output\_arcs\_types(0) \Rightarrow \text{BASIC} \rangle \in ipm_p, \langle output\_transitions\_fired(0) \Rightarrow \text{true} \rangle \in ipm_p$ , and  $\langle output\_arcs\_weights(0) \Rightarrow 0 \rangle \in ipm_p$ .

By property of the elaboration relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ :

$$\Delta(id_p)(\text{"oan"}) = 1 \quad (\text{C.79})$$

By property of the stabilize relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma'(id_p)(“oat”)[0] = \text{BASIC} \quad (\text{C.80})$$

$$\sigma'(id_p)(“otf”)[0] = \text{true} \quad (\text{C.81})$$

$$\sigma'(id_p)(“oaw”)[0] = 0 \quad (\text{C.82})$$

By property of  $output(p) = \emptyset$ :

$$\sum_{t \in Fired(s')} \begin{cases} \omega \text{ if } pre(p, t) = (\omega, \text{basic}) \\ 0 \text{ otherwise} \end{cases} = 0 \quad (\text{C.83})$$

Rewriting the goal with (C.79), (C.80), (C.81), (C.82) and (C.83), tautology.

- 2.  $output(p) \neq \emptyset$ :

By construction,  $<\text{output\_arcs\_number} \Rightarrow |output(p)|> \in gm_p$ , and by property of the elaboration relation:

$$\Delta(id_p)(“oan”) = |output(p)| \quad (\text{C.84})$$

Rewriting the goal with (C.84): 
$$\sum_{t \in Fired(s')} f(t) = \sum_{i=0}^{|output(p)|-1} g(i).$$

Let us reason by induction on the right sum term of the goal.

- **BASE CASE:**

In that case,  $0 > |output| - 1$  and  $\sum_{i=0}^{|output(p)|-1} g(i) = 0$ .

As  $0 > |output| - 1$ , then  $|output(p)| = 0$ , thus contradicting  $output(p) \neq \emptyset$ .

- **INDUCTION CASE:**

In that case,  $0 \leq |output(p)| - 1$ .

$$\forall F \subseteq Fired(s'), g(0) + \sum_{t \in F} f(t) = g(0) + \sum_{i=1}^{|output(p)|-1} g(i)$$

$$\sum_{t \in Fired(s')} f(t) = g(0) + \sum_{i=1}^{|output(p)|-1} g(i)$$

By definition of  $g$ :

$$g(0) = \begin{cases} \sigma'(id_p)(“oaw”)[0] \text{ if } (\sigma'(id_p)(“otf”)[0] \\ \quad \cdot \sigma'(id_p)(“oat”)[0] = \text{BASIC}) \\ 0 \text{ otherwise} \end{cases} \quad (\text{C.85})$$

Let us perform case analysis on the value of  $\sigma'(id_p)(“otf”)[0] \cdot \sigma'(id_p)(“oat”)[0] = \text{BASIC}$ ; there are two cases:

(a)  $(\sigma'(id_p)(“otf”)[0] \cdot \sigma'(id_p)(“oat”)[0] = \text{BASIC}) = \text{false}$ :

In that case,  $g(0) = 0$ , and then we can apply the induction hypothesis with  $F = Fired(s')$

to solve the goal:  $\sum_{t \in Fired(s')} f(t) = \sum_{i=1}^{|output(p)|-1} g(i).$

(b)  $(\sigma'(id_p)(“otf”)[0] \cdot \sigma'(id_p)(“oat”)[0] = \text{BASIC}) = \text{true}$ :

In that case,  $g(0) = \sigma'(id_p)(“oaw”)[0]$ ,  $\sigma'(id_p)(“otf”)[0] = \text{true}$  and  $\sigma'(id_p)(“oat”)[0] = \text{BASIC}$ .

By construction, there exist a  $t \in output(p)$ ,  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ . Let us take such a  $t \in output(p)$ .

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, “transition”, gm_t, ipm_t, opm_t) \in d.cs$ .

As  $t \in output(p)$ , there exist  $\omega \in \mathbb{N}^*$  and  $a \in \{\text{BASIC}, \text{TEST}, \text{INHIB}\}$  s.t.  $\text{pre}(p, t) = (\omega, a)$ .

Let us take an  $\omega$  and  $a$  s.t.  $\text{pre}(p, t) = (\omega, a)$ .

By construction,  $\langle output\_arcs\_types(0) \Rightarrow a \rangle \in ipm_p$ ,

$\langle output\_arcs\_weights(0) \Rightarrow \omega \rangle \in ipm_p$ , and there exists  $id_{ft} \in Sigs(\Delta)$  s.t.  $\langle fired \Rightarrow id_{ft} \rangle \in opm_t$  and  $\langle output\_transitions\_fired(0) \Rightarrow id_{ft} \rangle \in ipm_p$

By property of the stabilize relation,  $\sigma'(id_p)(“oat”)[0] = \text{BASIC}$  and

$\langle output\_arcs\_types(0) \Rightarrow a \rangle \in ipm_p$ :

$$\text{pre}(p, t) = (\omega, \text{basic}) \quad (\text{C.86})$$

By property of the stabilize relation,  $\langle fired \Rightarrow id_{ft} \rangle \in opm_t$ ,

$\langle output\_transitions\_fired(0) \Rightarrow id_{ft} \rangle \in ipm_p$  and  $\sigma'(id_p)(“otf”)[0] = \text{true}$ :

$$\sigma'(id_t)(“fired”)[0] = \text{true} \quad (\text{C.87})$$

Appealing to Lemma 4, we know  $t \in Fired(s')$ .

As  $t \in Fired(s')$ , we can rewrite the left sum term of the goal as follows:

$$f(t) + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = g(0) + \sum_{i=1}^{|output(p)|-1} g(i)$$

We know that  $g(0) = \sigma'(id_p)(“oaw”)[0]$ , and by property of the stabilize relation and  $\langle output\_arcs\_weights(0) \Rightarrow \omega \rangle \in ipm_p$ :

$$\sigma'(id_p)(“oaw”)[0] = \omega \quad (\text{C.88})$$

Rewriting the goal with (C.88):

$$f(t) + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = \omega + \sum_{i=1}^{|output(p)|-1} g(i)$$

By definition of  $f$ , and as  $\text{pre}(p, t) = (\omega, \text{basic})$ , then  $f(t) = \omega$ ; thus, rewriting the goal:

$$\omega + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = \omega + \sum_{i=1}^{|output(p)|-1} g(i)$$

Then, knowing that  $g(0) = \omega$ , we can apply the induction hypothesis with  $F = Fired(s') \setminus \{t\}$ :

$$g(0) + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = g(0) + \sum_{i=1}^{|output(p)|-1} g(i).$$

□

**Lemma 33** (Falling Edge Equal Input Token Sum). *For all  $s \in pn$ ,  $d$ ,  $\gamma$ ,  $\Delta$ ,  $\sigma_e$ ,  $E_c$ ,  $E_p$ ,  $\tau$ ,  $s$ ,  $s'$ ,  $\sigma$ ,  $\sigma_i$ ,  $\sigma_\downarrow$ ,  $\sigma'$  that verify the hypotheses of Def. 9, then  $\forall p, id_p$  s.t.  $\gamma(p) = id_p$ ,  $\sum_{t \in Fired(s')} post(t, p) = \sigma'_p("s\_input\_token\_sum")$ .*

*Proof.* Given a  $p \in P$  and an  $id_p \in Comps(\Delta)$ , let us show

$$\sum_{t \in Fired(s')} post(t, p) = \sigma'(id_p)(“s\_input\_token\_sum”).$$

By definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, “place”, gm_p, ipm_p, opm_p) \in d.cs$ . By property of the stabilize relation and  $\text{comp}(id_p, “place”, gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma'(id_p)(“sits”) = \sum_{i=0}^{\Delta(id_p)(“ian”)-1} \begin{cases} \sigma'(id_p)(“iaw”)[i] & \text{if } \sigma'(id_p)(“itf”)[i] \\ 0 & \text{otherwise} \end{cases} \quad (\text{C.89})$$

Rewriting the goal with (C.89):

$$\sum_{t \in Fired(s')} post(t, p) = \sum_{i=0}^{\Delta(id_p)(“ian”)-1} \begin{cases} \sigma'(id_p)(“iaw”)[i] & \text{if } \sigma'(id_p)(“otf”)[i] \\ 0 & \text{otherwise} \end{cases}$$

Let us unfold the definition of the left sum term:

$$\begin{aligned} \sum_{t \in Fired(s')} & \begin{cases} \omega & \text{if } post(t, p) = \omega \\ 0 & \text{otherwise} \end{cases} \\ &= \\ \sum_{i=0}^{\Delta(id_p)(“ian”)-1} & \begin{cases} \sigma'(id_p)(“iaw”)[i] & \text{if } \sigma'(id_p)(“itf”)[i] \\ 0 & \text{otherwise} \end{cases} \end{aligned}$$

Let us perform case analysis on  $input(p)$ ; there are two cases:

1.  $input(p) = \emptyset$ :

By construction,  $\langle input\_arcs\_number \Rightarrow 1 \rangle \in gm_p$ ,  $\langle input\_transitions\_fired(0) \Rightarrow \text{true} \rangle \in ipm_p$ , and  $\langle input\_arcs\_weights(0) \Rightarrow 0 \rangle \in opm_p$ .

By property of the elaboration relation and  $\text{comp}(id_p, “place”, gm_p, ipm_p, opm_p) \in d.cs$ :

$$\Delta(id_p)(“ian”) = 1 \quad (\text{C.90})$$

By property of the stabilize relation and  $\text{comp}(id_p, “place”, gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma'(id_p)(“itf”)[0] = \text{true} \quad (\text{C.91})$$

$$\sigma'(id_p)(“iaw”)[0] = 0 \quad (\text{C.92})$$

By property of  $\text{input}(p) = \emptyset$ :

$$\sum_{t \in \text{Fired}(s')} \begin{cases} \omega & \text{if } \text{post}(t, p) = \omega \\ 0 & \text{otherwise} \end{cases} = 0 \quad (\text{C.93})$$

Rewriting the goal with (C.90), (C.91), (C.92), and (C.93), and simplifying the goal, tautology.

2.  $\text{input}(p) \neq \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow |\text{input}(p)| \rangle \in gm_p$ , and by property of the elaboration relation:

$$\Delta(id_p)(\text{"ian"}) = |\text{input}(p)| \quad (\text{C.94})$$

To ease the reading, let us define functions  $f \in \text{Fired}(s') \rightarrow \mathbb{N}$  and  $g \in [0, |\text{input}(p)| - 1] \rightarrow \mathbb{N}$   
s.t.  $f(t) = \begin{cases} \omega & \text{if } \text{post}(t, p) = \omega \\ 0 & \text{otherwise} \end{cases}$  and  
 $g(i) = \begin{cases} \sigma'(id_p)(\text{"iaw"})[i] & \text{if } \sigma'(id_p)(\text{"itf"})[i] \\ 0 & \text{otherwise} \end{cases}$

Then, the goal is: 
$$\boxed{\sum_{t \in \text{Fired}(s')} f(t) = \sum_{i=0}^{\Delta(id_p)(\text{"ian"})-1} g(i)}$$

Rewriting the goal with (C.94): 
$$\boxed{\sum_{t \in \text{Fired}(s')} f(t) = \sum_{i=0}^{|\text{input}(p)|-1} g(i).}$$

Let us reason by induction on the right sum term of the goal.

- **BASE CASE:**

In that case,  $0 > |\text{input}(p)| - 1$  and  $\sum_{i=0}^{|\text{input}(p)|-1} g(i) = 0$ .

As  $0 > |\text{input}(p)| - 1$ , then  $|\text{input}(p)| = 0$ , thus contradicting  $\text{input}(p) \neq \emptyset$ .

- **INDUCTION CASE:**

In that case,  $0 \leq |\text{input}(p)| - 1$ .

$$\forall F \subseteq \text{Fired}(s'), g(0) + \sum_{t \in F} f(t) = g(0) + \sum_{i=1}^{|\text{input}(p)|-1} g(i)$$

$$\boxed{\sum_{t \in \text{Fired}(s')} f(t) = g(0) + \sum_{i=1}^{|\text{input}(p)|-1} g(i)}$$

By definition of  $g$ :

$$g(0) = \begin{cases} \sigma'(id_p)(\text{"iaw"})[0] & \text{if } \sigma'(id_p)(\text{"itf"})[0] \\ 0 & \text{otherwise} \end{cases} \quad (\text{C.95})$$

Let us perform case analysis on the value of  $\sigma'(id_p)(“itf”)[0]$ ; there are two cases:

(a)  $\sigma'(id_p)(“itf”)[0] = \text{false}$ :

In that case,  $g(0) = 0$ , and then we can apply the induction hypothesis with  $F = Fired(s')$

to solve the goal:  $\sum_{t \in Fired(s')} f(t) = \sum_{i=1}^{|input(p)|-1} g(i).$

(b)  $\sigma'(id_p)(“itf”)[0] = \text{true}$ :

In that case,  $g(0) = \sigma'(id_p)(“iaw”)[0]$  and  $\sigma'(id_p)(“itf”)[0] = \text{true}$ .

By construction, there exist a  $t \in input(t)$ ,  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ . Let us take such a  $t \in input(p)$ .

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, “transition”, gm_t, ipm_t, opm_t) \in d.cs$ .

As  $t \in input(p)$ , there exist  $\omega \in \mathbb{N}^*$  s.t.  $post(t, p) = \omega$ . Let us take an  $\omega$  s.t.  $post(t, p) = \omega$ .

By construction,  $\langle \text{input\_arcs\_weights}(0) \Rightarrow \omega \rangle \in ipm_p$ , and there exists  $id_{ft} \in Sigs(\Delta)$  s.t.  $\langle \text{fire} \Rightarrow id_{ft} \rangle \in opm_t$  and  $\langle \text{input\_transitions\_fire}(0) \Rightarrow id_{ft} \rangle \in ipm_p$

By property of the stabilize relation and  $\langle \text{input\_arcs\_types}(0) \Rightarrow a \rangle \in ipm_p$ :

$$post(t, p) = \omega \quad (\text{C.96})$$

By property of the stabilize relation,  $\langle \text{fire} \Rightarrow id_{ft} \rangle \in opm_t$ ,

$\langle \text{input\_transitions\_fire}(0) \Rightarrow id_{ft} \rangle \in ipm_p$  and  $\sigma'(id_p)(“itf”)[0] = \text{true}$ :

$$\sigma'(id_t)(“fired”)[0] = \text{true} \quad (\text{C.97})$$

Appealing to Lemma 4 and (C.97), we know  $t \in Fired(s')$ .

As  $t \in Fired(s')$ , we can rewrite the left sum term of the goal as follows:

$$f(t) + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = g(0) + \sum_{i=1}^{|input(p)|-1} g(i)$$

We know that  $g(0) = \sigma'(id_p)(“iaw”)[0]$ , and by property of the stabilize relation and  $\langle \text{input\_arcs\_weights}(0) \Rightarrow \omega \rangle \in ipm_p$ :

$$\sigma'(id_p)(“iaw”)[0] = \omega \quad (\text{C.98})$$

Rewriting the goal with (C.98):

$$f(t) + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = \omega + \sum_{i=1}^{|input(p)|-1} g(i)$$

By definition of  $f$ , and as  $post(t, p) = \omega$ , then  $f(t) = \omega$ ; thus, rewriting the goal:

$$\omega + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = \omega + \sum_{i=1}^{|input(p)|-1} g(i)$$

Then, knowing that  $g(0) = \omega$ , we can apply the induction hypothesis with  $F = Fired(s') \setminus \{t\}$ :

$$g(0) + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = g(0) + \sum_{i=1}^{|input(p)|-1} g(i).$$

□

### C.4.2 Falling edge and time counters

**Lemma 34** (Falling Edge Equal Time Counters). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall t \in T_i, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ ,  
 $(upper(I_s(t)) = \infty \wedge s'.I(t) \leq lower(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(s\_time\_counter')$   
 $\wedge (upper(I_s(t)) = \infty \wedge s'.I(t) > lower(I_s(t))) \Rightarrow \sigma'(id_t)(s\_time\_counter') = lower(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) > upper(I_s(t))) \Rightarrow \sigma'(id_t)(s\_time\_counter') = upper(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) \leq upper(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(s\_time\_counter')).$*

*Proof.* Given a  $t \in T_i$  and an  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show

$$\begin{aligned} &(upper(I_s(t)) = \infty \wedge s'.I(t) \leq lower(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(s\_time\_counter') \\ &\wedge (upper(I_s(t)) = \infty \wedge s'.I(t) > lower(I_s(t))) \Rightarrow \sigma'(id_t)(s\_time\_counter') = lower(I_s(t))) \\ &\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) > upper(I_s(t))) \Rightarrow \sigma'(id_t)(s\_time\_counter') = upper(I_s(t))) \\ &\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) \leq upper(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(s\_time\_counter')) \end{aligned}$$

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the elaboration,  $\text{Inject}_\downarrow$ ,  $\mathcal{H}$ -VHDL rising edge and stabilize relations, and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ :

$$\begin{aligned} \sigma(id_t)(se) &= \text{true} \wedge \Delta(id_t)(tt) \neq \text{NOT\_TEMPORAL} \wedge \sigma(id_t)(srtc) = \text{false} \\ &\wedge \sigma(id_t)(stc) < \Delta(id_t)(mtc) \Rightarrow \sigma'(id_t)(stc) = \sigma(id_t)(stc) + 1 \end{aligned} \quad (\text{C.99})$$

$$\begin{aligned} \sigma(id_t)(se) &= \text{true} \wedge \Delta(id_t)(tt) \neq \text{NOT\_TEMPORAL} \wedge \sigma(id_t)(srtc) = \text{false} \\ &\wedge \sigma(id_t)(stc) \geq \Delta(id_t)(mtc) \Rightarrow \sigma'(id_t)(stc) = \sigma(id_t)(stc) \end{aligned} \quad (\text{C.100})$$

$$\begin{aligned} \sigma(id_t)(se) &= \text{true} \wedge \Delta(id_t)(tt) \neq \text{NOT\_TEMPORAL} \\ &\wedge \sigma(id_t)(srtc) = \text{true} \Rightarrow \sigma'(id_t)(stc) = 1 \end{aligned} \quad (\text{C.101})$$

$$\sigma(id_t)(se) = \text{false} \vee \Delta(id_t)(tt) = \text{NOT\_TEMPORAL} \Rightarrow \sigma'(id_t)(stc) = 0 \quad (\text{C.102})$$

Then, there are 4 points to show:

1.  $upper(I_s(t)) = \infty \wedge s'.I(t) \leq lower(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(s\_time\_counter')$

Assuming  $upper(I_s(t)) = \infty$  and  $s'.I(t) \leq lower(I_s(t))$ , let us show

$$s'.I(t) = \sigma'(id_t)(s\_time\_counter').$$

Case analysis on  $t \in Sens(s.M)$ ; there are two cases:

(a)  $t \notin Sens(s.M)$ :

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , we have  $\sigma(id_t)(se) = \text{false}$  (C.103).

Appealing to (C.102) and (C.103), we have  $\sigma'(id_t)(stc) = 0$  (C.104).

By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ , we have  $s'.I(t) = 0$  (C.105).

Rewriting the goal with (C.104) and (C.105): tautology.

(b)  $t \in \text{Sens}(s.M)$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $\sigma(id_t)(\text{"se"}) = \text{true}$  (C.106).

By construction, and as  $\text{upper}(I_s(t)) = \infty$ ,  $\langle \text{transition\_type} \Rightarrow \text{TEMP\_A\_INF} \rangle \in gm_t$ . By property of the elaboration relation, we have  $\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_INF}$  (C.107).

Case analysis on  $s.\text{reset}_t(t)$ ; there are two cases:

i.  $s.\text{reset}_t(t) = \text{true}$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ ,  $\sigma(id_t)(\text{"srtc"}) = \text{true}$  (C.108).

Appealing to (C.101), (C.106), (C.107) and (C.108), we have  $\sigma'(id_t)(\text{"stc"}) = 1$  (C.109).

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s'.I(t) = 1$  (C.110).

Rewriting the goal with (C.109) and (C.110): tautology.

ii.  $s.\text{reset}_t(t) = \text{false}$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $\sigma(id_t)(\text{"srtc"}) = \text{false}$  (C.111).

As  $\text{upper}(I_s(t)) = \infty$ , there exists an  $a \in \mathbb{N}^*$  s.t.  $I_s(t) = [a, \infty]$ . Let us take such an  $a \in \mathbb{N}^*$ . By construction,  $\langle \text{maximal\_time\_counter} \Rightarrow a \rangle \in gm_t$ , and by property of the elaboration relation, we have  $\Delta(id_t)(\text{"mtc"}) = a$  (C.112).

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , and knowing that  $t \in \text{Sens}(s.M)$ ,  $s.\text{reset}_t(t) = \text{false}$  and  $\text{upper}(I_s(t)) = \infty$ :

$$s'.I(t) = s.I(t) + 1 \quad (\text{C.113})$$

Rewriting the goal with (C.113):  $s.I(t) + 1 = \sigma'(id_t)(\text{"stc"})$ .

We assumed that  $s'.I(t) \leq \text{lower}(I_s(t))$ , and as  $s'.I(t) = s.I(t) + 1$ , then  $s.I(t) + 1 \leq \text{lower}(I_s(t))$ , then  $s.I(t) < \text{lower}(I_s(t))$ , then  $s.I(t) < a$  since  $a = \text{lower}(I_s(t))$ .

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , and knowing that  $s.I(t) < \text{lower}(I_s(t))$  and  $\text{upper}(I_s(t)) = \infty$ :

$$s.I(t) = \sigma(id_t)(\text{"stc"}) \quad (\text{C.114})$$

Appealing to (C.112), (C.114) and  $s.I(t) < a$ :

$$\sigma(id_t)(\text{"stc"}) < \Delta(id_t)(\text{"mtc"}) \quad (\text{C.115})$$

Appealing to (C.99), (C.115), (C.111) and (C.106):

$$\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"}) + 1 \quad (\text{C.116})$$

Rewriting the goal with (C.116) and (C.114): tautology.

2.  $\boxed{\text{upper}(I_s(t)) = \infty \wedge s'.I(t) > \text{lower}(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s\_time\_counter"}) = \text{lower}(I_s(t))}$

Assuming that  $\text{upper}(I_s(t)) = \infty$  and  $s'.I(t) > \text{lower}(I_s(t))$ , let us show

$$\boxed{\sigma'(id_t)(\text{"s\_time\_counter"}) = \text{lower}(I_s(t))}$$

As  $\text{upper}(I_s(t)) = \infty$ , there exists an  $a \in \mathbb{N}^*$  s.t.  $I_s(t) = [a, \infty]$ . Let us take such an  $a \in \mathbb{N}^*$ . By construction,  $\langle \text{maximal\_time\_counter} \Rightarrow a \rangle \in gm_t$ , and  $\langle \text{transition\_type} \Rightarrow \text{TEMP\_A\_INF} \rangle \in$

$gm_t$  by property of the elaboration relation:

$$\Delta(id_t)(\text{"mtc"}) = a \quad (\text{C.117})$$

$$\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_INF} \quad (\text{C.118})$$

Case analysis on  $t \in \text{Sens}(s.M)$ :

(a)  $t \notin \text{Sens}(s.M)$ :

By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ , and knowing that  $t \in \text{Sens}(s.M)$ , then  $s'.I(t) = 0$ . Since  $\text{lower}(I_s(t)) \in \mathbb{N}^*$ , then  $\text{lower}(I_s(t)) > 0$ .

Contradicts  $s'.I(t) > \text{lower}(I_s(t))$ .

(b)  $t \in \text{Sens}(s.M)$ :

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$  and  $t \in \text{Sens}(s.M)$ :

$$\sigma(id_t)(\text{"se"}) = \text{true} \quad (\text{C.119})$$

Case analysis on  $s.\text{reset}_t(t)$ ; there are two cases:

i.  $s.\text{reset}_t(t) = \text{true}$ :

By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ :  $s'.I(t) = 1$ .

We assumed that  $s'.I(t) > \text{lower}(I_s(t))$ , then  $1 > \text{lower}(I_s(t))$ .

Contradicts  $\text{lower}(I_s(t)) > 0$ .

ii.  $s.\text{reset}_t(t) = \text{false}$ :

By property of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$  and  $s.\text{reset}_t(t) = \text{false}$ :

$$\sigma(id_t)(\text{"srtc"}) = \text{false} \quad (\text{C.120})$$

By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ , and knowing that  $s'.I(t) > \text{lower}(I_s(t))$ :

$$\begin{aligned} s'.I(t) &= s.I(t) + 1 \Rightarrow s.I(t) + 1 > \text{lower}(I_s(t)) \\ &\Rightarrow s.I(t) \geq \text{lower}(I_s(t)) \end{aligned} \quad (\text{C.121})$$

Case analysis on  $s.I(t) \geq \text{lower}(I_s(t))$ :

A.  $s.I(t) > \text{lower}(I_s(t))$ :  $\boxed{\sigma'(id_t)(\text{"stc"}) = \text{lower}(I_s(t))}$ .

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ :

$$\sigma(id_t)(\text{"stc"}) = \text{lower}(I_s(t)) \quad (\text{C.122})$$

Appealing to (C.100):

$$\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"}) \quad (\text{C.123})$$

Rewriting the goal with (C.122) and (C.123): tautology.

$$\text{B. } s.I(t) = \text{lower}(I_s(t)): \boxed{\sigma'(id_t)(\text{"stc"}) = \text{lower}(I_s(t))}$$

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ :

$$s.I(t) = \sigma(id_t)(\text{"stc"}) \quad (\text{C.124})$$

Appealing to (C.100):

$$\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"}) \quad (\text{C.125})$$

Rewriting the goal with (C.125), (C.124) and  $s.I(t) = \text{lower}(I_s(t))$ : tautology.

$$3. \boxed{upper(I_s(t)) \neq \infty \wedge s'.I(t) > upper(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = upper(I_s(t))}$$

Assuming that  $upper(I_s(t)) \neq \infty$  and  $s'.I(t) > upper(I_s(t))$ , let us show

$$\boxed{\sigma'(id_t)(\text{"s_time_counter"}) = upper(I_s(t))}$$

As  $upper(I_s(t)) \neq \infty$ , there exists an  $a \in \mathbb{N}^*$ , and a  $b \in \mathbb{N}^*$  s.t.  $I_s(t) = [a, b]$ . Let us take such an  $a$  and  $b$ . By construction, there exists  $tt \in \{\text{TEMP\_A\_A}, \text{TEMP\_A\_B}\}$  s.t.  $\langle \text{maximal_time_counter} \Rightarrow b \rangle \in gm_t$ , and  $\langle \text{transition_type} \Rightarrow tt \rangle \in gm_t$ ; by property of the elaboration relation:

$$\Delta(id_t)(\text{"mtc"}) = b = upper(I_s(t)) \quad (\text{C.126})$$

$$\Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP} \quad (\text{C.127})$$

Case analysis on  $t \in Sens(s.M)$ :

(a)  $t \notin Sens(s.M)$ :

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , and knowing that  $t \in Sens(s.M)$ , then  $s'.I(t) = 0$ . Since  $upper(I_s(t)) \in \mathbb{N}^*$ , then  $upper(I_s(t)) > 0$ .

Contradicts  $s'.I(t) > upper(I_s(t))$ .

(b)  $t \in Sens(s.M)$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$  and  $t \in Sens(s.M)$ :

$$\sigma(id_t)(\text{"se"}) = \text{true} \quad (\text{C.128})$$

Case analysis on  $s.reset_t(t)$ ; there are two cases:

i.  $s.reset_t(t) = \text{true}$ :

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ :  $s'.I(t) = 1$ .

We assumed that  $s'.I(t) > upper(I_s(t))$ , then  $1 > upper(I_s(t))$ .

Contradicts  $upper(I_s(t)) > 0$ .

ii.  $s.reset_t(t) = \text{false}$ :

By property of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$  and  $s.reset_t(t) = \text{false}$ :

$$\sigma(id_t)(\text{"srtc"}) = \text{false} \quad (\text{C.129})$$

Case analysis on  $s.I(t) > upper(I_s(t))$  or  $s.I(t) \leq upper(I_s(t))$ :

$$\boxed{\text{A. } s.I(t) > \text{upper}(I_s(t)): \sigma'(id_t)(\text{"stc"}) = \text{upper}(I_s(t)).}$$

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ :

$$s'.I(t) = s.I(t) \quad (\text{C.130})$$

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ :

$$\sigma(id_t)(\text{"stc"}) = \text{upper}(I_s(t)) \quad (\text{C.131})$$

Appealing to (C.100), we have  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"})$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"})$  and (C.131): tautology.

$$\boxed{\text{B. } s.I(t) \leq \text{upper}(I_s(t)): \sigma'(id_t)(\text{"stc"}) = \text{upper}(I_s(t)).}$$

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ :

$$s.I(t) = \sigma(id_t)(\text{"stc"}) \quad (\text{C.132})$$

Case analysis on  $s.I(t) \leq \text{upper}(I_s(t))$ ; there are two cases:

- $s.I(t) = \text{upper}(I_s(t))$ :

Appealing to (C.126), (C.132) and  $s.I(t) = \text{upper}(I_s(t))$ :

$$\Delta(id_t)(\text{"mtc"}) \leq \sigma(id_t)(\text{"stc"}) \quad (\text{C.133})$$

Appealing to (C.133) and (C.100):

$$\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"}) \quad (\text{C.134})$$

Rewriting the goal with (C.134), (C.132) and  $s.I(t) = \text{upper}(I_s(t))$ : tautology.

- $s.I(t) < \text{upper}(I_s(t))$ :

By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ :

$$s'.I(t) = s.I(t) + 1 \quad (\text{C.135})$$

From (C.135) and  $s.I(t) < \text{upper}(I_s(t))$ , we can deduce  $s'.I(t) \leq \text{upper}(I_s(t))$ ; contradicts  $s'.I(t) > \text{upper}(I_s(t))$ .

$$4. \boxed{\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) \leq \text{upper}(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"}).$$

Assuming that  $\text{upper}(I_s(t)) \neq \infty$  and  $s'.I(t) \leq \text{upper}(I_s(t))$ , let us show

$$\boxed{s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"})}.$$

As  $\text{upper}(I_s(t)) \neq \infty$ , there exists an  $a \in \mathbb{N}^*$ , and a  $b \in \mathbb{N}^*$  s.t.  $I_s(t) = [a, b]$ . Let us take such an  $a$  and  $b$ . By construction, there exists  $tt \in \{\text{TEMP\_A\_A}, \text{TEMP\_A\_B}\}$  s.t.

$\langle \text{maximal\_time\_counter} \Rightarrow b \rangle \in gm_t$ , and  $\langle \text{transition\_type} \Rightarrow tt \rangle \in gm_t$ ; by property of

the elaboration relation:

$$\Delta(id_t)(\text{"mtc"}) = b = \text{upper}(I_s(t)) \quad (\text{C.136})$$

$$\Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP} \quad (\text{C.137})$$

Case analysis on  $t \in \text{Sens}(s.M)$ :

(a)  $t \notin \text{Sens}(s.M)$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $\sigma(id_t)(\text{"se"}) = \text{false}$  (C.138).

Appealing (C.102) and (C.138), we have  $\sigma'(id_t)(\text{"stc"}) = 0$  (C.139).

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s'.I(t) = 0$  (C.140).

Rewriting the goal with (C.139) and (C.140): tautology.

(b)  $t \in \text{Sens}(s.M)$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $\sigma(id_t)(\text{"se"}) = \text{true}$  (C.141).

Case analysis on  $s.\text{reset}_t(t)$ :

i.  $s.\text{reset}_t(t) = \text{true}$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $\sigma(id_t)(\text{"srtc"}) = \text{true}$  (C.142).

Appealing to (C.101), (C.137), (C.141) and (C.142), we have  $\sigma'(id_t)(\text{"stc"}) = 1$  (C.143).

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s'.I(t) = 1$  (C.144).

Rewriting the goal with (C.143) and (C.144), tautology.

ii.  $s.\text{reset}_t(t) = \text{false}$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $\sigma(id_t)(\text{"srtc"}) = \text{false}$  (C.145).

Case analysis on  $s.I(t) > \text{upper}(I_s(t))$  or  $s.I(t) \leq \text{upper}(I_s(t))$ :

A.  $s.I(t) > \text{upper}(I_s(t))$ :

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s.I(t) = s'.I(t)$ , and thus,  $s'.I(t) > \text{upper}(I_s(t))$ .

Contradicts  $s'.I(t) \leq \text{upper}(I_s(t))$ .

B.  $s.I(t) \leq \text{upper}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $s.I(t) = \sigma(id_t)(\text{"stc"})$  (C.146).

- $s.I(t) < \text{upper}(I_s(t))$ :

From  $s.I(t) < \text{upper}(I_s(t))$ , (C.146) and (C.136), we can deduce

$\sigma(id_t)(\text{"stc"}) < \Delta(id_t)(\text{"mtc"})$  (C.147).

From (C.99), (C.141), (C.137), (C.145) and (C.147), we can deduce:

$$\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"}) + 1 \quad (\text{C.148})$$

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ :

$$s'.I(t) = s.I(t) + 1 \quad (\text{C.149})$$

Rewriting the goal with (C.148) and (C.149), tautology.

- $s.I(t) = \text{upper}(I_s(t))$ :

By definition of  $E_c$ ,  $\tau \vdash s \xrightarrow{\downarrow} s'$ , we know that  $s'.I(t) = s.I(t) + 1$ . We assumed that  $s'.I(t) \leq \text{upper}(I_s(t))$ ; thus,  $s.I(t) + 1 \leq \text{upper}(I_s(t))$ .

Contradicts  $s.I(t) = \text{upper}(I_s(t))$ .

□

### C.4.3 Falling edge and condition values

**Lemma 35** (Falling Edge Equal Condition Values). *For all  $\text{sitpn}, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_{\downarrow}, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall c \in \mathcal{C}, id_c \in \text{Ins}(\Delta)$  s.t.  $\gamma(c) = id_c$ ,  $s'.\text{cond}(c) = \sigma'(id_c)$ .*

*Proof.* Given a  $c \in \mathcal{C}$  and an  $id_c \in \text{Ins}(\Delta)$  s.t.  $\gamma(c) = id_c$ , let us show  $s'.\text{cond}(c) = \sigma'(id_c)$ .

By definition of  $E_c$ ,  $\tau \vdash s \xrightarrow{\downarrow} s'$ , we have  $s'.\text{cond}(c) = E_c(\tau, c)$  (C.150).

By property of the  $\text{Inject}_{\downarrow}$ , the  $\mathcal{H}$ -VHDL falling edge, the stabilize relations and  $id_c \in \text{Ins}(\Delta)$ , we have  $\sigma'(id_c) = E_p(\tau, \downarrow)(id_c)$  (C.151).

Rewriting the goal with (C.150) and (C.151):  $E_c(\tau, c) = E_p(\tau, \downarrow)(id_c)$

By definition of  $\gamma \vdash E_p \stackrel{\text{env}}{=} E_c$ :  $E_c(\tau, c) = E_p(\tau, \downarrow)(id_c)$ .

□

### C.4.4 Falling and action executions

**Lemma 36** (Falling Edge Equal Action Executions). *For all  $\text{sitpn}, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_{\downarrow}, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall a \in \mathcal{A}, id_a \in \text{Outs}(\Delta)$  s.t.  $\gamma(a) = id_a$ ,  $s'.\text{ex}(a) = \sigma'(id_a)$ .*

*Proof.* Given an  $a \in \mathcal{A}$  and an  $id_a \in \text{Outs}(\Delta)$  s.t.  $\gamma(a) = id_a$ , let us show  $s'.\text{ex}(a) = \sigma'(id_a)$ .

By property of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ :

$$s'.\text{ex}(a) = \sum_{p \in \text{marked}(s.M)} \mathbb{A}(p, a) \quad (\text{C.152})$$

By construction, the “action” process is a part of design  $d$ ’s behavior, i.e there exist an  $sl \subseteq \text{Sigs}(\Delta)$  and an  $ss_a \in ss$  s.t.  $\text{ps}("action", \emptyset, sl, ss) \in d.cs$ .

By construction  $id_a$  is only assigned in the body of the “action” process. Let  $pls(a)$  be the set of actions associated to action  $a$ , i.e  $pls(a) = \{p \in P \mid \mathbb{A}(p, a) = \text{true}\}$ . Then, depending on  $pls(a)$ , there are two cases of assignment of output port  $id_a$ :

- **CASE**  $pls(a) = \emptyset$ :

By construction,  $id_a \Leftarrow \text{false} \in ss_{a\downarrow}$  where  $ss_{a\downarrow}$  is the part of the “action” process body executed during the falling edge phase.

By property of the  $\mathcal{H}$ -VHDL falling edge, the stabilize relations and  $\text{ps}("action", \emptyset, sl, ss_a) \in d.cs$ :

$$\sigma'(id_a) = \text{false} \quad (\text{C.153})$$

By property of  $\sum_{p \in \text{marked}(s.M)} \mathbb{A}(p, a)$  and  $pls(a) = \emptyset$ :

$$\sum_{p \in \text{marked}(s.M)} \mathbb{A}(p, a) = \text{false} \quad (\text{C.154})$$

Rewriting the goal with (C.152), (C.153) and (C.154), tautology.

- **CASE**  $pls(a) \neq \emptyset$ :

By construction,  $\text{id}_a \Leftarrow \text{id}_{mp_0} + \dots + \text{id}_{mp_n} \in ss_{a\downarrow}$ , where  $\text{id}_{mp_i} \in Sigs(\Delta)$ ,  $ss_{a\downarrow}$  is the part of the “action” process body executed during the falling edge phase, and  $n = |pls(a)| - 1$ .

By property of the  $\text{Inject}_{\downarrow}$ , the  $\mathcal{H}$ -VHDL falling edge, the stabilize relations, and  $\text{ps}("action", \emptyset, sl, ss) \in d.cs$ :

$$\sigma'(id_a) = \sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n}) \quad (\text{C.155})$$

Rewriting the goal with (C.152) and (C.155),  $\sum_{p \in \text{marked}(s.M)} \mathbb{A}(p, a) = \sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n})$ .

Let us reason on the value of  $\sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n})$ ; there are two cases:

- **CASE**  $\sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n}) = \text{true}$ :

Then, we can rewrite the goal as follows:  $\sum_{p \in \text{marked}(s.M)} \mathbb{A}(p, a) = \text{true}$ .

To prove the above goal, let us show  $\exists p \in \text{marked}(s.M) \text{ s.t. } \mathbb{A}(p, a) = \text{true}$ .

From  $\sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n}) = \text{true}$ , we can deduce that  $\exists id_{mp_i} \text{ s.t. } \sigma(id_{mp_i}) = \text{true}$ . Let us take an  $id_{mp_i}$  s.t.  $\sigma(id_{mp_i}) = \text{true}$ .

By construction, for all  $id_{mp_i}$ , there exist a  $p_i \in pls(a)$ , an  $id_{p_i} \in Comps(\Delta)$ ,  $gm_{p_i}$ ,  $ipm_{p_i}$  and  $opm_{p_i}$  s.t.  $\gamma(p_i) = id_{p_i}$  and  $\text{comp}(id_{p_i}, "place", gm_{p_i}, ipm_{p_i}, opm_{p_i}) \in d.cs$  and  $\langle \text{marked} \Rightarrow \text{id}_{mp_i} \rangle \in opm_{p_i}$ . Let us take such a  $p_i$ ,  $id_{p_i}$ ,  $gm_{p_i}$ ,  $ipm_{p_i}$  and  $opm_{p_i}$ .

By property of stable  $\sigma$ , and  $\text{comp}(id_{p_i}, "place", gm_{p_i}, ipm_{p_i}, opm_{p_i}) \in d.cs$ :

$$\sigma(id_{mp_i}) = \sigma(id_{p_i})(\text{"marked"}) \quad (\text{C.156})$$

$$\sigma(id_{p_i})(\text{"marked"}) = \sigma(id_{p_i})(\text{"sm"}) > 0 \quad (\text{C.157})$$

From (C.156), (C.157) and  $\sigma(id_{mp_i}) = \text{true}$ , we can deduce that  $\sigma(id_{p_i})(\text{"marked"}) = \text{true}$  and  $(\sigma(id_{p_i})(\text{"sm"}) > 0) = \text{true}$ .

By property of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ :

$$s.M(p_i) = \sigma(id_{p_i})(\text{"sm"}) \quad (\text{C.158})$$

From (C.158) and  $(\sigma(id_{p_i})(\text{"sm"}) > 0) = \text{true}$ , we can deduce  $p_i \in \text{marked}(s.M)$ , i.e  $s.M(p_i) > 0$ .

Let us use  $p_i$  to prove the goal:  $\mathbb{A}(p, a) = \text{true}$ .

By definition of  $p_i \in pls(a)$ ,  $\mathbb{A}(p, a) = \text{true}$ .

- **CASE**  $\sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n}) = \text{false}$ :

Then, we can rewrite the goal as follows:  $\sum_{p \in \text{marked}(s.M)} \mathbb{A}(p, a) = \text{false}$ .

To prove the above goal, let us show  $\forall p \in \text{marked}(s.M) \text{ s.t. } \mathbb{A}(p, a) = \text{false}$ .

Given a  $p \in \text{marked}(s.M)$ , let us show  $\mathbb{A}(p, a) = \text{false}$ .

Let us perform case analysis on  $\mathbb{A}(p, a)$ ; there are 2 cases:

\* CASE  $\mathbb{A}(p, a) = \text{false}$ .

\* CASE  $\mathbb{A}(p, a) = \text{true}$ :

By construction, for all  $p \in P$  s.t.  $\mathbb{A}(p, a) = \text{true}$ , there exist an  $id_p \in \text{Comps}(\Delta)$ ,  $gm_{tp}$ ,  $ipm_p$  and  $id_{mp_i} \in \text{Sigs}(\Delta)$  s.t.  $\gamma(p) = id_p$  and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$  and  $\langle \text{marked} \Rightarrow id_{mp_i} \rangle \in opm_p$ . Let us take such a  $id_p$ ,  $gm_p$ ,  $ipm_p$ ,  $opm_p$  and  $id_{mp_i}$ . By property of stable  $\sigma$  and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma(id_{mp_i}) = \sigma(id_p)(\text{"marked"}) \quad (\text{C.159})$$

$$\sigma(id_p)(\text{"marked"}) = \sigma(id_p)(\text{"sm"}) > 0 \quad (\text{C.160})$$

From  $\sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n}) = \text{false}$ , we can deduce  $\sigma(id_p)(\text{"marked"}) = \text{false}$ , and thus that  $(\sigma(id_p)(\text{"sm"}) > 0) = \text{false}$ .

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , we have  $s.M(p) = \sigma(id_p)(\text{"sm"})$ , and thus, we can deduce that  $s.M(p) = 0$  (equivalent to  $(s.M(p) > 0) = \text{false}$ ).

Contradicts  $p \in \text{marked}(s.M)$  (i.e,  $s.M(p) > 0$ ).

□

#### C.4.5 Falling edge and function executions

**Lemma 37** (Falling Edge Equal Function Executions). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall f \in \mathcal{F}, id_f \in \text{Outs}(\Delta)$  s.t.  $\gamma(f) = id_f$ ,  $s'.ex(f) = \sigma'(id_f)$ .*

*Proof.* Given an  $f \in \mathcal{F}$  and an  $id_f \in \text{Outs}(\Delta)$  s.t.  $\gamma(f) = id_f$ , let us show  $\boxed{s'.ex(f) = \sigma'(id_f)}$ .

By property of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ :

$$s.ex(f) = s'.ex(f) \quad (\text{C.161})$$

By construction,  $id_f$  is an output port identifier of boolean type in the  $\mathcal{H}$ -VHDL design  $d$  assigned by the “function” process only during a rising edge phase.

By property of the  $\mathcal{H}$ -VHDL Inject $\uparrow$ , rising edge, stabilize relations, and the “function” process:

$$\sigma(id_f) = \sigma'(id_f) \quad (\text{C.162})$$

Rewriting the goal with (C.161) and (C.162),  $\boxed{s.ex(f) = \sigma(id_f)}$ .

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ ,  $\boxed{s.ex(f) = \sigma(id_f)}$ .

□

#### C.4.6 Falling edge and firable transitions

**Lemma 38** (Falling Edge Equal Firable). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall t \in T, id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ ,  $t \in \text{Firable}(s') \Leftrightarrow \sigma'(id_t)(\text{"s\_firable"}) = \text{true}$ .*

*Proof.* Given a  $t \in T$  and  $id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show that

$$\boxed{t \in \text{Firable}(s') \Leftrightarrow \sigma'(id_t)(\text{"s\_firable"}) = \text{true}}$$

The proof is in two parts:

- Assuming that  $t \in \text{Firable}(s')$ , let us show  $\sigma'(id_t)(\text{"s\_firable"}) = \text{true}$ .

Apply Lemma **Falling Edge Equal Firable 1** to solve the goal.

- Assuming that  $\sigma'(id_t)(\text{"s\_firable"}) = \text{true}$ , let us show  $t \in \text{Firable}(s')$ .

Apply Lemma **Falling Edge Equal Firable 2** to solve the goal.

□

**Lemma 39** (Falling Edge Equal Firable 1). *For all  $sitpn$ ,  $d$ ,  $\gamma$ ,  $\Delta$ ,  $\sigma_e$ ,  $E_c$ ,  $E_p$ ,  $\tau$ ,  $s$ ,  $s'$ ,  $\sigma$ ,  $\sigma_i$ ,  $\sigma_\downarrow$ ,  $\sigma'$  that verify the hypotheses of Def. 9, then  $\forall t \in T, id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ ,  $t \in \text{Firable}(s') \Rightarrow \sigma'(id_t)(\text{"s\_firable"}) = \text{true}$ .*

*Proof.* Given a  $t \in T$  and  $id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ , and assuming that  $t \in \text{Firable}(s')$ , let us show  $\sigma'(id_t)(\text{"s\_firable"}) = \text{true}$ .

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ . By property of the  $\text{Inject}_\downarrow$ , the  $\mathcal{H}$ -VHDL falling edge, the stabilize relations and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ :

$$\sigma'(id_t)(\text{"sfa"}) = \sigma(id_t)(\text{"se"}) . \sigma(id_t)(\text{"scc"}) . \text{checktc}(\Delta(id_t), \sigma(id_t)) \quad (\text{C.163})$$

Let us define term  $\text{checktc}(\Delta(id_t), \sigma(id_t))$  as follows:

$$\begin{aligned} \text{checktc}(\Delta(id_t), \sigma(id_t)) = & \left( \text{not } \sigma(id_t)(\text{"srtc"}) . \right. \\ & \left[ \begin{aligned} & ((\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_B} . (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1) \\ & \quad . (\sigma(id_t)(\text{"stc"}) \leq \sigma(id_t)(\text{"B"}) - 1)) \\ & + (\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_A} . (\sigma(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"A"}) - 1)) \\ & + (\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_INF} . (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1)) \end{aligned} \right] \\ & + (\sigma(id_t)(\text{"srtc"}) . \Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP} . \sigma(id_t)(\text{"A"}) = 1) \\ & + \Delta(id_t)(\text{"tt"}) = \text{NOT\_TEMP} \end{aligned} \quad (\text{C.164})$$

Rewriting the goal with (C.163):  $\sigma(id_t)(\text{"se"}) . \sigma(id_t)(\text{"scc"}) . \text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}$ .

Then, there are three points to prove:

- $\sigma(id_t)(\text{"se"}) = \text{true}$ :

From  $t \in \text{Firable}(s')$ , we can deduce  $t \in \text{Sens}(s'.M)$ . By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ , we have  $s.M = s'.M$ , and thus, we can deduce  $t \in \text{Sens}(s.M)$ .

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , we know that  $t \in \text{Sens}(s.M)$  implies  $\sigma(id_t)(\text{"se"}) = \text{true}$ .

- $\sigma(id_t)(\text{"scc"}) = \text{true}$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ :

$$\sigma(id_t)(\text{"scc"}) = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases} \quad (\text{C.165})$$

where  $\text{conds}(t) = \{c \in \mathcal{C} \mid \mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1\}$ .

Rewriting the goal with (C.165):  $\boxed{\prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases} = \text{true.}}$

To ease the reading, let us define  $f(c) = \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$ .

Let us reason by induction on the left term of the goal:

- **BASE CASE:**  $\text{true} = \text{true.}$
- **INDUCTION CASE:**

$$\boxed{\prod_{c' \in \text{conds}(t) \setminus \{c\}} f(c') = \text{true}}$$

$$\boxed{f(c) \cdot \prod_{c' \in \text{conds}(t) \setminus \{c\}} f(c') = \text{true.}}$$

Rewriting the goal with the induction hypothesis, and simplifying the goal, and unfolding

the definition of  $f(c)$ :  $\boxed{\begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases} = \text{true.}}$

As  $c \in \text{conds}(t)$ , let us perform case analysis on  $\mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1$ :

$$(a) \boxed{\mathbb{C}(t, c) = 1: E_c(\tau, c) = \text{true.}}$$

By definition of  $t \in \text{Firable}(s')$ , we can deduce that  $s'.cond(c) = \text{true}$ . By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s'.cond(c) = E_c(\tau, c)$ . Thus,  $E_c(\tau, c) = \text{true}$ .

$$(b) \boxed{\mathbb{C}(t, c) = -1: \text{not } E_c(\tau, c) = \text{true.}}$$

By definition of  $t \in \text{Firable}(s')$ , we can deduce that  $s'.cond(c) = \text{false}$ . By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s'.cond(c) = E_c(\tau, c)$ . Thus,  $\text{not } E_c(\tau, c) = \text{true}$ .

$$3. \boxed{\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}}:$$

By definition of  $t \in \text{Firable}(s')$ , we have  $t \notin T_i \vee s'.I(t) \in I_s(t)$ . Let us perform case analysis on  $t \notin T_i \vee s'.I(t) \in I_s(t)$ :

$$(a) t \notin T_i:$$

By construction,  $\langle \text{transition\_type} \Rightarrow \text{NOT\_TEMP} \rangle \in gm_t$ , and by property of the elaboration relation, we have  $\Delta(id_t)(\text{"tt"}) = \text{NOT\_TEMP}$ .

From  $\Delta(id_t)(\text{"tt"}) = \text{NOT\_TEMP}$ , and the definition of  $\text{checktc}(\Delta(id_t), \sigma(id_t))$ , we can deduce  $\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}$ .

(b)  $s'.I(t) \in I_s(t)$ :

From  $s'.I(t) \in I_s(t)$ , we can deduce that  $t \in T_i$ . Thus, by construction, there exists  $tt \in \{\text{TEMP\_A\_B}, \text{TEMP\_A\_A}, \text{TEMP\_A\_INF}\}$  s.t.  $\langle \text{transition\_type} \Rightarrow tt \rangle \in gm_t$ . By property of the elaboration relation, we have  $\Delta(id_t)(\text{"tt"}) = tt$ , and thus, we know  $\Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP}$ . Therefore, we can simplify the term  $\text{checktc}(\Delta(id_t), \sigma(id_t))$  as follows:

$$\begin{aligned} \text{checktc}(\Delta(id_t), \sigma(id_t)) &= \left( \text{not } \sigma(id_t)(\text{"srtc"}) . \right. \\ &\quad [ (\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_B} . (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1) \right. \\ &\quad \quad \quad \left. . (\sigma(id_t)(\text{"stc"}) \leq \sigma(id_t)(\text{"B"}) - 1)) \right. \\ &\quad + (\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_A} . \\ &\quad \quad \quad (\sigma(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"A"}) - 1)) \\ &\quad + (\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_INF} . \\ &\quad \quad \quad (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1))] \Big) \\ &\quad + (\sigma(id_t)(\text{"srtc"}) . \sigma(id_t)(\text{"A"}) = 1) \end{aligned} \tag{C.166}$$

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $s.\text{reset}_t(t) = \sigma(id_t)(\text{"srtc"})$ .

Let us perform case analysis on the value  $s.\text{reset}_t(t)$ :

i.  $s.\text{reset}_t(t) = \text{true}$ :

Then, from  $s.\text{reset}_t(t) = \sigma(id_t)(\text{"srtc"})$ , we can deduce that  $\sigma(id_t)(\text{"srtc"}) = \text{true}$ . From  $\sigma(id_t)(\text{"srtc"}) = \text{true}$ , we can simplify the term  $\text{checktc}(\Delta(id_t), \sigma(id_t))$  as follows:

$$\text{checktc}(\Delta(id_t), \sigma(id_t)) = (\sigma(id_t)(\text{"A"}) = 1) \tag{C.167}$$

Rewriting the goal with (C.167), and simplifying the goal:  $\boxed{\sigma(id_t)(\text{"A"}) = 1}$ .

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , from  $t \in \text{Sens}(s.M)$  and  $s.\text{reset}_t(t) = \text{true}$ , we can deduce  $s'.I(t) = 1$ . We know that  $s'.I(t) \in I_s(t)$ , and thus, we have  $1 \in I_s(t)$ . By definition of  $1 \in I_s(t)$ , there exist an  $a \in \mathbb{N}^*$  and a  $ni \in \mathbb{N}^* \sqcup \{\infty\}$  s.t.  $I_s(t) = [a, ni]$  and  $1 \in [a, ni]$ .

By definition of  $1 \in [a, ni]$ , we have  $a \leq 1$ , and since  $a \in \mathbb{N}^*$ , we can deduce  $a = 1$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle \in ipm_t$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(\text{"A"}) = a = 1$ .

ii.  $s.\text{reset}_t(t) = \text{false}$ :

Then, from  $s.\text{reset}_t(t) = \sigma(id_t)(\text{"srtc"})$ , we can deduce that  $\sigma(id_t)(\text{"srtc"}) = \text{false}$ .

From  $\sigma(id_t)(“stc”) = \text{false}$ , we can simplify the term  $\text{checktc}(\Delta(id_t), \sigma(id_t))$  as follows:

$$\begin{aligned} & \text{checktc}(\Delta(id_t), \sigma(id_t)) \\ &= (\Delta(id_t)(“tt”) = \text{TEMP\_A\_B} \cdot (\sigma(id_t)(“stc”) \geq \sigma(id_t)(“A”) - 1) \\ &\quad \cdot (\sigma(id_t)(“stc”) \leq \sigma(id_t)(“B”) - 1)) \\ &+ (\Delta(id_t)(“tt”) = \text{TEMP\_A\_A} \cdot (\sigma(id_t)(“stc”) = \sigma(id_t)(“A”) - 1)) \\ &+ (\Delta(id_t)(“tt”) = \text{TEMP\_A\_INF} \cdot (\sigma(id_t)(“stc”) \geq \sigma(id_t)(“A”) - 1)) \end{aligned} \quad (\text{C.168})$$

Let us perform case analysis on  $I_s(t)$ ; there are two cases:

- $I_s(t) = [a, b]$  where  $a, b \in \mathbb{N}^*$ ; then, either  $a = b$  or  $a \neq b$ :

–  $a = b$ :

Then, we have  $I_s(t) = [a, a]$ , and by construction  $\langle \text{transition\_type} \Rightarrow \text{TEMP\_A\_A} \rangle \in gmt_t$ . By property of the elaboration relation, we have  $\Delta(id_t)(“tt”) = \text{TEMP\_A\_A}$ ; thus we can simplify the term  $\text{checktc}$  as follows:

$$\text{checktc}(\Delta(id_t), \sigma(id_t)) = (\sigma(id_t)(“stc”) = \sigma(id_t)(“A”) - 1) \quad (\text{C.169})$$

Rewriting the goal with (C.169), and simplifying the goal:

$$\boxed{\sigma(id_t)(“stc”) = \sigma(id_t)(“A”) - 1.}$$

From  $s'.I(t) \in [a, a]$ , we can deduce that  $s'.I(t) = a$ . Let us perform case analysis on  $s.I(t) < \text{upper}(I_s(t))$  or  $s.I(t) \geq \text{upper}(I_s(t))$ :

- \*  $s.I(t) < \text{upper}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , we have  $s.I(t) = \sigma(id_t)(“stc”)$ . By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ , we have  $s'.I(t) = s.I(t) + 1$ . From  $s'.I(t) = a$  and  $s'.I(t) = s.I(t) + 1$ , we can deduce  $a - 1 = s.I(t)$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle \in ipm_t$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(“A”) = a$ .

Rewriting the goal with  $\sigma(id_t)(“A”) = a$  and  $s.I(t) = \sigma(id_t)(“stc”)$ :

$$\boxed{\sigma(id_t)(“stc”) = \sigma(id_t)(“A”) - 1.}$$

- \*  $s.I(t) \geq \text{upper}(I_s(t))$ :

In the case where  $s.I(t) > \text{upper}(I_s(t))$ , then  $s.I(t) > a$ . By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ , we have  $s.I(t) = s'.I(t) = a$ . Then,  $a > a$  is a contradiction.

In the case where  $s.I(t) = \text{upper}(I_s(t))$ , then  $s.I(t) = a$ . By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ , we have  $s'.I(t) = s.I(t) + 1$ . Then, we have  $s'.I(t) = a$  and  $s'.I(t) = a + 1$ . Then,  $a = a + 1$  is a contradiction.

–  $a \neq b$ :

Then, we have  $I_s(t) = [a, b]$ , and by construction  $\langle \text{transition\_type} \Rightarrow \text{TEMP\_A\_B} \rangle \in gmt_t$ . By property of the elaboration relation, we have

$\Delta(id_t)(“tt”) = \text{TEMP\_A\_B}$ ; thus we can simplify the term  $\text{checktc}$  as follows:

$$\begin{aligned} & \text{checktc}(\Delta(id_t), \sigma(id_t)) \\ &= (\sigma(id_t)(“stc”) \geq \sigma(id_t)(“A”) - 1) \cdot (\sigma(id_t)(“stc”) \leq \sigma(id_t)(“B”) - 1) \end{aligned} \quad (\text{C.170})$$

Rewriting the goal with (C.170), and simplifying the goal:

$$(\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1) \wedge (\sigma(id_t)(\text{"stc"}) \leq \sigma(id_t)(\text{"B"}) - 1).$$

Let us perform case analysis on  $s.I(t) < \text{upper}(I_s(t))$  or  $s.I(t) \geq \text{upper}(I_s(t))$ :

- \*  $s.I(t) < \text{upper}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $s.I(t) = \sigma(id_t)(\text{"stc"})$ . By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s'.I(t) = s.I(t) + 1$ . By definition of  $s'.I(t) \in [a, b]$ :

$$\Rightarrow a \leq s'.I(t) \leq b.$$

$$\Rightarrow a \leq s'.I(t) \wedge s'.I(t) \leq b$$

$$\Rightarrow a \leq s.I(t) + 1 \wedge s.I(t) + 1 \leq b$$

$$\Rightarrow a - 1 \leq s.I(t) \wedge s.I(t) \leq b - 1$$

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle \in ipm_t$  and  $\langle \text{time\_B\_value} \Rightarrow b \rangle \in ipm_t$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(\text{"A"}) = a$  and  $\sigma(id_t)(\text{"B"}) = b$ .

Rewriting the goal with  $\sigma(id_t)(\text{"A"}) = a, \sigma(id_t)(\text{"B"}) = b$  and  $s.I(t) = \sigma(id_t)(\text{"stc"})$ :

$$a - 1 \leq s.I(t) \wedge s.I(t) \leq b - 1.$$

- \*  $s.I(t) \geq \text{upper}(I_s(t))$ :

In the case where  $s.I(t) > \text{upper}(I_s(t))$ , then  $s.I(t) > b$ . By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s.I(t) = s'.I(t) = b$ . Then,  $b > b$  is a contradiction.

In the case where  $s.I(t) = \text{upper}(I_s(t))$ , then  $s.I(t) = b$ . By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s'.I(t) = s.I(t) + 1$ .

By definition of  $s'.I(t) \in [a, b]$ , we have  $s'.I(t) \leq b$ :

$$\Rightarrow s.I(t) + 1 \leq b$$

$$\Rightarrow b + 1 \leq b \text{ is contradiction.}$$

- $I_s(t) = [a, \infty]$  where  $a \in \mathbb{N}^*$ :

By construction  $\langle \text{transition\_type} \Rightarrow \text{TEMP\_A\_INF} \rangle \in gm_t$ . By property of the elaboration relation, we have  $\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_INF}$ ; thus we can simplify the term `checktc` as follows:

$$\text{checktc}(\Delta(id_t), \sigma(id_t)) = (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1) \quad (\text{C.171})$$

Rewriting the goal with (C.171), and simplifying the goal:

$$\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1.$$

From  $s'.I(t) \in [a, \infty]$ , we can deduce  $a \leq s'.I(t)$ . Then, let us perform case analysis on  $s.I(t) \leq \text{lower}(I_s(t))$  or  $s.I(t) > \text{lower}(I_s(t))$ :

- $s.I(t) \leq \text{lower}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $s.I(t) = \sigma(id_t)(\text{"stc"})$ .

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s'.I(t) = s.I(t) + 1$ :

$$\Rightarrow a \leq s'.I(t)$$

$$\Rightarrow a \leq s.I(t) + 1$$

$$\Rightarrow a - 1 \leq s.I(t)$$

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle \in ipm_t$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(\text{"A"}) = a$ .

Rewriting the goal with  $\sigma(id_t)(A) = a$  and  $s.I(t) = \sigma(id_t)(stc)$ :

$$a - 1 \leq s.I(t).$$

- $s.I(t) > lower(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $\sigma(id_t)(stc) = lower(I_s(t)) = a$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle \in ipm_t$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(A) = a$ .

Rewriting the goal with  $\sigma(id_t)(stc) = a$  and  $\sigma(id_t)(A) = a$ :  $a - 1 \leq a$ .

□

**Lemma 40** (Falling Edge Equal Firable 2). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t, \sigma'(id_t)(s\_firable) = \text{true} \Rightarrow t \in Firable(s')$ .*

*Proof.* Given a  $t \in T$  and  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ , and assuming that  $\sigma'(id_t)(s\_firable) = \text{true}$ , let us show  $t \in Firable(s')$ .

By definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ . By property of the  $\text{Inject}_\downarrow$ , the  $\mathcal{H}$ -VHDL falling edge, the stabilize relations and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ :

$$\sigma'(id_t)(sfa) = \sigma(id_t)(se) \cdot \sigma(id_t)(scc) \cdot \text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true} \quad (\text{C.172})$$

From (C.172), we can deduce:

$$\sigma(id_t)(se) = \text{true} \quad (\text{C.173})$$

$$\sigma(id_t)(scc) = \text{true} \quad (\text{C.174})$$

$$\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true} \quad (\text{C.175})$$

Term  $\text{checktc}(\Delta(id_t), \sigma(id_t))$  as the same definition as in Lemma [Falling Edge Equal Firable 1](#). By definition of  $t \in Firable(s')$ , there are three points to prove:

$$1. \boxed{t \in Sens(s'.M)}$$

$$2. \boxed{t \notin T_i \vee s'.I(t) \in I_s(t)}$$

$$3. \boxed{\forall c \in \mathcal{C}, \mathbb{C}(t, c) = 1 \Rightarrow s'.cond(c) = \text{true} \text{ and } \mathbb{C}(t, c) = -1 \Rightarrow s'.cond(c) = \text{false}}$$

Let us prove these three points:

$$1. \boxed{t \in Sens(s'.M)}:$$

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\sim} s'$ , we have  $s.M = s'.M$ . Rewriting the goal with  $s.M = s'.M$ :  $t \in Sens(s.M)$ .

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $\sigma(id_t)(se) = \text{true} \Leftrightarrow t \in Sens(s.M)$ .

$$\boxed{t \in Sens(s.M)}.$$

2.  $\forall c \in \mathcal{C}, \mathbb{C}(t, c) = 1 \Rightarrow s'.cond(c) = \text{true}$  and  $\mathbb{C}(t, c) = -1 \Rightarrow s'.cond(c) = \text{false}$

Given a  $c \in \mathcal{C}$ , there are two points to prove:

- (a)  $\boxed{\mathbb{C}(t, c) = 1 \Rightarrow s'.cond(c) = \text{true}.}$
- (b)  $\boxed{\mathbb{C}(t, c) = -1 \Rightarrow s'.cond(c) = \text{false}.}$

Let us prove these two points:

- (a) Assuming that  $\mathbb{C}(t, c) = 1$ , let us show  $\boxed{s'.cond(c) = \text{true}.}$

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have:

$$\sigma(id_t)(\text{"scc"}) = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases} = \text{true} \quad (\text{C.176})$$

where  $\text{conds}(t) = \{c \in \mathcal{C} \mid \mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1\}$ .

As  $c \in \text{conds}(t)$  and  $\mathbb{C}(t, c) = 1$ , and by definition of the product expression, we have:

$$E_c(\tau, c) \cdot \prod_{c' \in \text{conds}(t) \setminus \{c\}} \begin{cases} E_c(\tau, c') & \text{if } \mathbb{C}(t, c') = 1 \\ \text{not}(E_c(\tau, c')) & \text{if } \mathbb{C}(t, c') = -1 \end{cases} = \text{true} \quad (\text{C.177})$$

From (C.177), we can deduce that  $E_c(\tau, c) = \text{true}$ .

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s'.cond(c) = E_c(\tau, c)$ .

Rewriting the goal with  $s'.cond(c) = E_c(\tau, c)$  and  $E_c(\tau, c) = \text{true}$ : tautology.

- (b) Assuming that  $\mathbb{C}(t, c) = -1$ , let us show  $\boxed{s'.cond(c) = \text{false}.}$

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have:

$$\sigma(id_t)(\text{"scc"}) = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases} = \text{true} \quad (\text{C.178})$$

where  $\text{conds}(t) = \{c \in \mathcal{C} \mid \mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1\}$ .

As  $c \in \text{conds}(t)$  and  $\mathbb{C}(t, c) = -1$ , and by definition of the product expression, we have:

$$\text{not } E_c(\tau, c) \cdot \prod_{c' \in \text{conds}(t) \setminus \{c\}} \begin{cases} E_c(\tau, c') & \text{if } \mathbb{C}(t, c') = 1 \\ \text{not}(E_c(\tau, c')) & \text{if } \mathbb{C}(t, c') = -1 \end{cases} = \text{true} \quad (\text{C.179})$$

From (C.179), we can deduce that  $E_c(\tau, c) = \text{false}$ .

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s'.cond(c) = E_c(\tau, c)$ .

Rewriting the goal with  $s'.cond(c) = E_c(\tau, c)$  and  $E_c(\tau, c) = \text{false}$ : tautology.

3.  $\boxed{t \notin T_i \vee s'.I(t) \in I_s(t)}$

Reasoning on  $\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}$ , there are 3 cases:

- (a)  $\left( \text{not } \sigma(id_t)(\text{"srtc"}) . [\dots] \right) = \text{true}^2$
- (b)  $(\sigma(id_t)(\text{"srtc"}) . \Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP} . \sigma(id_t)(\text{"A"}) = 1) = \text{true}$
- (c)  $(\Delta(id_t)(\text{"tt"}) = \text{NOT\_TEMP}) = \text{true}$

- (a)  $\left( \text{not } \sigma(id_t)(\text{"srtc"}) . [\dots] \right) = \text{true}:$

Then, we can deduce  $\text{not } \sigma(id_t)(\text{"srtc"}) = \text{true}$  and  $[\dots] = \text{true}$ . From  $\text{not } \sigma(id_t)(\text{"srtc"}) = \text{true}$ , we can deduce  $\sigma(id_t)(\text{"srtc"}) = \text{false}$ , and from  $[\dots] = \text{true}$ , we have three other cases:

- $(\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_B} . (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1) . (\sigma(id_t)(\text{"stc"}) \leq \sigma(id_t)(\text{"B"}) - 1)) = \text{true}$
- $(\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_A} . (\sigma(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"A"}) - 1)) = \text{true}$
- $(\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_INF} . (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1)) = \text{true}$

Let us prove the goal in these three contexts:

- $(\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_B} . (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1) . (\sigma(id_t)(\text{"stc"}) \leq \sigma(id_t)(\text{"B"}) - 1)) = \text{true}:$

Then, converting boolean equalities into intuitionistic predicates, we have:

- $\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_B}$
- $\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1$
- $\sigma(id_t)(\text{"stc"}) \leq \sigma(id_t)(\text{"B"}) - 1$

By property of the elaboration relation, and  $\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_B}$ , there exist  $a, b \in \mathbb{N}^*$  s.t.  $I_s(t) = [a, b]$ . Let us take such an  $a$  and  $b$ . Then, let us show  $s'.I(t) \in I_s(t)$ .

Rewriting the goal with  $I_s(t) = [a, b]$ :  $s'.I(t) \in [a, b]$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle$  and  $\langle \text{time\_B\_value} \Rightarrow b \rangle$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(\text{"A"}) = a$  and  $\sigma(id_t)(\text{"B"}) = b$ .

Rewriting the goal with  $\sigma(id_t)(\text{"A"}) = a$  and  $\sigma(id_t)(\text{"B"}) = b$ , and by definition of  $\in$ :  $\sigma(id_t)(\text{"A"}) \leq s'.I(t) \leq \sigma(id_t)(\text{"B"})$ .

Now, let us perform case analysis on  $s.I(t) \leq \text{upper}(I_s(t))$  or  $s.I(t) > \text{upper}(I_s(t))$ :

- $s.I(t) \leq \text{upper}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $s.I(t) = \sigma(id_t)(\text{"stc"})$ .

From  $\sigma(id_t)(\text{"se"}) = \text{true}$ , we can deduce  $t \in \text{Sens}(s.M)$ , and from  $\sigma(id_t)(\text{"srtc"}) = \text{false}$ , we can deduce  $s.\text{reset}_t(t) = \text{false}$ . Then, by definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s'.I(t) = s.I(t) + 1$ .

$$\Rightarrow \boxed{\sigma(id_t)(\text{"A"}) \leq s.I(t) + 1 \leq \sigma(id_t)(\text{"B"})} \quad (\text{by } s'.I(t) = s.I(t) + 1)$$

$$\Rightarrow \boxed{\sigma(id_t)(\text{"A"}) \leq \sigma(id_t)(\text{"stc"}) + 1 \leq \sigma(id_t)(\text{"B"})} \quad (\text{by } s.I(t) = \sigma(id_t)(\text{"stc"}))$$

$$\Rightarrow \boxed{\sigma(id_t)(\text{"A"}) - 1 \leq \sigma(id_t)(\text{"stc"}) \leq \sigma(id_t)(\text{"B"}) - 1}$$

- $s.I(t) > \text{upper}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\sim} \sigma$ , we have  $\sigma(id_t)(\text{"stc"}) = \text{upper}(I_s(t)) = b$ .

---

<sup>2</sup>See equation (C.164) for the full definition

Then, from  $\sigma(id_t)(“stc”) \leq \sigma(id_t)(“B”) - 1$ ,  $\sigma(id_t)(“stc”) = upper(I_s(t)) = b$  and  $\sigma(id_t)(“B”) = b$ , we can deduce the following contradiction:

$$\sigma(id_t)(“B”) \leq \sigma(id_t)(“B”) - 1.$$

- ii.  $(\Delta(id_t)(“tt”) = TEMP\_A\_A . (\sigma(id_t)(“stc”) = \sigma(id_t)(“A”) - 1)) = \text{true}$ :

Then, converting boolean equalities into intuitionistic predicates, we have:

- $\Delta(id_t)(“tt”) = TEMP\_A\_A$
- $\sigma(id_t)(“stc”) = \sigma(id_t)(“A”) - 1$

By property of the elaboration relation, and  $\Delta(id_t)(“tt”) = TEMP\_A\_A$ , there exist  $a \in \mathbb{N}^*$

s.t.  $I_s(t) = [a, a]$ . Let us take such an  $a$ . Then, let us show  $s’.I(t) \in I_s(t)$ .

Rewriting the goal with  $I_s(t) = [a, a]$ :  $s’.I(t) \in [a, a]$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(“A”) = a$ .

Rewriting the goal with  $\sigma(id_t)(“A”) = a$ , unfolding the definition of  $\in$ , and simplifying the goal:  $s’.I(t) = \sigma(id_t)(“A”)$ .

Now, let us perform case analysis on  $s.I(t) \leq upper(I_s(t))$  or  $s.I(t) > upper(I_s(t))$ :

- $s.I(t) \leq upper(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , we have  $s.I(t) = \sigma(id_t)(“stc”)$ .

From  $\sigma(id_t)(“se”) = \text{true}$ , we can deduce  $t \in Sens(s.M)$ , and from  $\sigma(id_t)(“srtc”) = \text{false}$ , we can deduce  $s.reset_t(t) = \text{false}$ . Then, by definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ , we have  $s’.I(t) = s.I(t) + 1$ .

$$\Rightarrow s.I(t) + 1 = \sigma(id_t)(“A”) \quad (\text{by } s’.I(t) = s.I(t) + 1)$$

$$\Rightarrow \sigma(id_t)(“stc”) + 1 = \sigma(id_t)(“A”) \quad (\text{by } s.I(t) = \sigma(id_t)(“stc”))$$

$$\Rightarrow \sigma(id_t)(“stc”) = \sigma(id_t)(“A”) - 1$$

- $s.I(t) > upper(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , we have  $\sigma(id_t)(“stc”) = upper(I_s(t)) = a$ .

Then, from  $\sigma(id_t)(“stc”) = \sigma(id_t)(“A”) - 1$ ,  $\sigma(id_t)(“stc”) = upper(I_s(t)) = a$ ,  $\sigma(id_t)(“A”) = a$ , and  $a \in \mathbb{N}^*$ , we can deduce the following contradiction:

$$\sigma(id_t)(“A”) = \sigma(id_t)(“A”) - 1.$$

- iii.  $(\Delta(id_t)(“tt”) = TEMP\_A\_INF . (\sigma(id_t)(“stc”) \geq \sigma(id_t)(“A”) - 1)) = \text{true}$ :

Then, converting boolean equalities into intuitionistic predicates, we have:

- $\Delta(id_t)(“tt”) = TEMP\_A\_INF$
- $\sigma(id_t)(“stc”) \geq \sigma(id_t)(“A”) - 1$

By property of the elaboration relation, and  $\Delta(id_t)(“tt”) = TEMP\_A\_INF$ , there exist  $a \in \mathbb{N}^*$

s.t.  $I_s(t) = [a, \infty]$ . Let us take such an  $a$ . Then, let us show  $s’.I(t) \in I_s(t)$ .

Rewriting the goal with  $I_s(t) = [a, \infty]$ :  $s’.I(t) \in [a, \infty]$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(“A”) = a$ .

Rewriting the goal with  $\sigma(id_t)(“A”) = a$ , unfolding the definition of  $\in$ , and simplifying the goal:  $\sigma(id_t)(“A”) \leq s’.I(t)$ .

Now, let us perform case analysis on  $s.I(t) \leq lower(I_s(t))$  or  $s.I(t) > lower(I_s(t))$ :

- $s.I(t) \leq lower(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , we have  $s.I(t) = \sigma(id_t)(\text{"stc"})$ .

From  $\sigma(id_t)(\text{"se"}) = \text{true}$ , we can deduce  $t \in \text{Sens}(s.M)$ , and from  $\sigma(id_t)(\text{"srtc"}) = \text{false}$ , we can deduce  $s.reset_t(t) = \text{false}$ . Then, by definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ , we have  $s'.I(t) = s.I(t) + 1$ .

$$\Rightarrow \boxed{\sigma(id_t)(\text{"A"}) \leq s.I(t) + 1} \quad (\text{by } s'.I(t) = s.I(t) + 1)$$

$$\Rightarrow \boxed{\sigma(id_t)(\text{"A"}) \leq \sigma(id_t)(\text{"stc"}) + 1} \quad (\text{by } s.I(t) = \sigma(id_t)(\text{"stc"}))$$

$$\Rightarrow \boxed{\sigma(id_t)(\text{"A"}) - 1 \leq \sigma(id_t)(\text{"stc"})}$$

- $s.I(t) > lower(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , we have  $\sigma(id_t)(\text{"stc"}) = lower(I_s(t)) = a$ .

From  $\sigma(id_t)(\text{"se"}) = \text{true}$ , we can deduce  $t \in \text{Sens}(s.M)$ , and from  $\sigma(id_t)(\text{"srtc"}) = \text{false}$ , we can deduce  $s.reset_t(t) = \text{false}$ . Then, by definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ , we have  $s'.I(t) = s.I(t) + 1$ .

$$\Rightarrow \boxed{\sigma(id_t)(\text{"A"}) \leq s.I(t) + 1} \quad (\text{by } s'.I(t) = s.I(t) + 1)$$

$$\Rightarrow \boxed{a \leq s.I(t) + 1} \quad (\text{by } \sigma(id_t)(\text{"A"}) = a)$$

$$\Rightarrow \boxed{a < s.I(t)}$$

$$\Rightarrow \boxed{lower(I_s(t)) < s.I(t)}$$

(b)  $(\sigma(id_t)(\text{"srtc"}) . \Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP} . \sigma(id_t)(\text{"A"}) = 1) = \text{true}$

Then, converting boolean equalities into intuitionistic predicates, we have:

- $\sigma(id_t)(\text{"srtc"}) = \text{true}$
- $\Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP}$
- $\sigma(id_t)(\text{"A"}) = 1$

By property of the elaboration relation, and  $\Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP}$ , there exist an  $a \in \mathbb{N}^*$  and a  $ni \in \mathbb{N}^* \sqcup \{\infty\}$  s.t.  $I_s(t) = [a, ni]$ . Let us take such an  $a$  and  $ni$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle \in ipm_t$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(\text{"A"}) = a$ . Thus, we can deduce  $a = 1$  and  $I_s(t) = [1, ni]$ .

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , from  $\sigma(id_t)(\text{"se"}) = \text{true}$ , we can deduce  $t \in \text{Sens}(s.M)$ , and from  $\sigma(id_t)(\text{"srtc"}) = \text{true}$ , we can deduce  $s.reset_t(t) = \text{true}$ .

By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ ,  $t \in \text{Sens}(s.M)$  and  $s.reset_t(t) = \text{true}$ , we have  $s'.I(t) = 1$ .

Now, let us show  $\boxed{s'.I(t) \in I_s(t)}$ .

Rewriting the goal with  $s'.I(t) = 1$  and  $I_s(t) = [1, ni]$ :  $1 \in [1, ni]$ .

(c)  $(\Delta(id_t)(\text{"tt"}) = \text{NOT\_TEMP}) = \text{true}$

Let us show  $\boxed{t \notin T_i}$ .

By property of the elaboration relation and  $\Delta(id_t)(\text{"tt"}) = \text{NOT\_TEMP}$ , we have  $t \notin T_i$ .

□

**Lemma 41** (Falling Edge Equal Not Firable). *For all sitpn, d,  $\gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Def. 9, then  $\forall t \in T, id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t, t \in \text{Firable}(s') \Leftrightarrow \sigma'(id_t)(\text{"s\_firable"}) = \text{true}$ .*

*Proof.* Proving the above lemma is trivial by appealing to Lemma [Falling Edge Equal Firable](#) and by reasoning on contrapositives.  $\square$

# Bibliography

- [1] Karima Berramla, El Abbassia Deba, and Mohammed Senouci. "Formal Validation of Model Transformation with Coq Proof Assistant". In: *2015 First International Conference on New Technologies of Information and Communication (NTIC)*. 2015 First International Conference on New Technologies of Information and Communication (NTIC). Nov. 2015, pp. 1–6. DOI: [10.1109/NTIC.2015.7368755](https://doi.org/10.1109/NTIC.2015.7368755).
- [2] Sandrine Blazy, Zaynah Dargaye, and Xavier Leroy. "Formal Verification of a C Compiler Front-End". In: *FM 2006: Formal Methods*. International Symposium on Formal Methods. Springer, Berlin, Heidelberg, Aug. 21, 2006, pp. 460–475. DOI: [10.1007/11813040\\_31](https://doi.org/10.1007/11813040_31). URL: [https://link.springer.com/chapter/10.1007/11813040\\_31](https://link.springer.com/chapter/10.1007/11813040_31) (visited on 05/25/2020).
- [3] Thomas Bourgeat et al. "The Essence of Bluespec: A Core Language for Rule-Based Hardware Design". In: *Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation*. PLDI 2020. New York, NY, USA: Association for Computing Machinery, June 11, 2020, pp. 243–257. ISBN: 978-1-4503-7613-6. DOI: [10.1145/3385412.3385965](https://doi.org/10.1145/3385412.3385965). URL: <https://doi.org/10.1145/3385412.3385965> (visited on 05/05/2021).
- [4] Timothy Bourke et al. "A Formally Verified Compiler for Lustre". In: (), p. 17.
- [5] Thomas Braibant and Adam Chlipala. "Formal Verification of Hardware Synthesis". In: *Computer Aided Verification*. Ed. by Natasha Sharygina and Helmut Veith. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer, 2013, pp. 213–228. ISBN: 978-3-642-39799-8. DOI: [10.1007/978-3-642-39799-8\\_14](https://doi.org/10.1007/978-3-642-39799-8_14).
- [6] Daniel Calegari et al. "A Type-Theoretic Framework for Certified Model Transformations". In: *Formal Methods: Foundations and Applications*. Ed. by Jim Davies, Leila Silva, and Adenilso Simao. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer, 2011, pp. 112–127. ISBN: 978-3-642-19829-8. DOI: [10.1007/978-3-642-19829-8\\_8](https://doi.org/10.1007/978-3-642-19829-8_8).
- [7] Adam Chlipala. "A Verified Compiler for an Impure Functional Language". In: *ACM SIGPLAN Notices* 45.1 (Jan. 17, 2010), pp. 93–106. ISSN: 0362-1340. DOI: [10.1145/1707801.1706312](https://doi.org/10.1145/1707801.1706312). URL: <https://doi.org/10.1145/1707801.1706312> (visited on 05/22/2020).
- [8] Benoît Combemale et al. "Essay on Semantics Definition in MDE. An Instrumented Approach for Model Verification". In: *Journal of Software* 4 (Nov. 1, 2009). DOI: [10.4304/jsw.4.9.943-958](https://doi.org/10.4304/jsw.4.9.943-958).
- [9] Lukasz Fronc and Franck Pommereau. "Towards a Certified Petri Net Model-Checker". In: *Programming Languages and Systems*. Ed. by Hongseok Yang. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer, 2011, pp. 322–336. ISBN: 978-3-642-25318-8. DOI: [10.1007/978-3-642-25318-8\\_24](https://doi.org/10.1007/978-3-642-25318-8_24).
- [10] A. Habibi and S. Tahar. "Design and Verification of SystemC Transaction-Level Models". In: *IEEE Transactions on Very Large Scale Integration (VLSI) Systems* 14.1 (Jan. 2006), pp. 57–68. ISSN: 1557-9999. DOI: [10.1109/TVLSI.2005.863187](https://doi.org/10.1109/TVLSI.2005.863187).

- [11] Xavier Leroy. "A Formally Verified Compiler Back-End". In: *Journal of Automated Reasoning* 43.4 (Nov. 4, 2009), p. 363. ISSN: 1573-0670. DOI: [10.1007/s10817-009-9155-4](https://doi.org/10.1007/s10817-009-9155-4). URL: <https://doi.org/10.1007/s10817-009-9155-4> (visited on 01/21/2020).
- [12] Andreas Lööw. "Lutsig: A Verified Verilog Compiler for Verified Circuit Development". In: *Proceedings of the 10th ACM SIGPLAN International Conference on Certified Programs and Proofs*. CPP 2021. New York, NY, USA: Association for Computing Machinery, Jan. 17, 2021, pp. 46–60. ISBN: 978-1-4503-8299-1. DOI: [10.1145/3437992.3439916](https://doi.org/10.1145/3437992.3439916). URL: <https://doi.org/10.1145/3437992.3439916> (visited on 05/04/2021).
- [13] Said Meghzili et al. "On the Verification of UML State Machine Diagrams to Colored Petri Nets Transformation Using Isabelle/HOL". In: *2017 IEEE International Conference on Information Reuse and Integration (IRI)*. 2017 IEEE International Conference on Information Reuse and Integration (IRI). Aug. 2017, pp. 419–426. DOI: [10.1109/IRI.2017.8263710](https://doi.org/10.1109/IRI.2017.8263710).
- [14] Martin Strecker. "Formal Verification of a Java Compiler in Isabelle". In: *Automated Deduction—CADE-18*. International Conference on Automated Deduction. Springer, Berlin, Heidelberg, July 27, 2002, pp. 63–77. DOI: [10.1007/3-540-45620-1\\_5](https://doi.org/10.1007/3-540-45620-1_5). URL: [https://link.springer.com/chapter/10.1007/3-540-45620-1\\_5](https://link.springer.com/chapter/10.1007/3-540-45620-1_5) (visited on 06/08/2020).
- [15] Yong Kiam Tan et al. "A New Verified Compiler Backend for CakeML". In: (), p. 14.
- [16] Zhibin Yang et al. "From AADL to Timed Abstract State Machines: A Verified Model Transformation". In: *Journal of Systems and Software* 93 (July 1, 2014), pp. 42–68. ISSN: 0164-1212. DOI: [10.1016/j.jss.2014.02.058](https://doi.org/10.1016/j.jss.2014.02.058). URL: <http://www.sciencedirect.com/science/article/pii/S0164121214000727> (visited on 01/16/2020).
- [17] Zhibin Yang et al. "Towards a Verified Compiler Prototype for the Synchronous Language SIGNAL". In: *Frontiers of Computer Science* 10.1 (Feb. 1, 2016), pp. 37–53. ISSN: 2095-2236. DOI: [10.1007/s11704-015-4364-y](https://doi.org/10.1007/s11704-015-4364-y). URL: <https://doi.org/10.1007/s11704-015-4364-y> (visited on 01/21/2020).