

**THÈSE POUR OBTENIR LE GRADE DE DOCTEUR  
DE L'UNIVERSITÉ DE MONTPELLIER**

**En Informatique**

**École doctorale : Information, Structures, Systèmes**

**Unité de recherche LIRMM**

**Vérification d'une méthodologie pour la conception de  
systèmes numériques critiques**

**Présenté par Vincent IAMPIETRO**

**Le Date de la soutenance**

**Sous la direction de David Delahaye  
et David Andreu**

**Devant le jury composé de**

[Nom Prénom], [Titre], [Labo] [Statut jury]

[Nom Prénom], [Titre], [Labo] [Statut jury]

[Nom Prénom], [Titre], [Labo] [Statut jury]



**UNIVERSITÉ  
DE MONTPELLIER**



## *Acknowledgements*

The acknowledgments and the people to thank go here, don't forget to include your project advisor...



# Contents

|                                                                     |           |
|---------------------------------------------------------------------|-----------|
| <b>Acknowledgements</b>                                             | iii       |
| <b>1 Implementation of the HILECOP high-level models</b>            | <b>1</b>  |
| 1.1 SITPN Definitions . . . . .                                     | 1         |
| 1.1.1 SITPN Structure and Well-definition . . . . .                 | 1         |
| SITPN Structure . . . . .                                           | 1         |
| Well-definition of an SITPN . . . . .                               | 3         |
| 1.1.2 SITPN State . . . . .                                         | 3         |
| 1.1.3 Fired Transitions . . . . .                                   | 4         |
| 1.1.4 SITPN Semantics . . . . .                                     | 4         |
| 1.1.5 SITPN Execution . . . . .                                     | 6         |
| <b>2 Proving semantic preservation in HILECOP</b>                   | <b>7</b>  |
| 2.1 Proofs of semantic preservation in the literature . . . . .     | 7         |
| 2.1.1 Compilers for generic programming languages . . . . .         | 9         |
| 2.1.2 Compilers for hardware description languages . . . . .        | 10        |
| 2.1.3 Model transformations . . . . .                               | 11        |
| 2.1.4 Discussions on transformations and proof strategies . . . . . | 13        |
| 2.2 The state similarity relation . . . . .                         | 13        |
| 2.3 Behavior preservation theorem . . . . .                         | 17        |
| 2.3.1 Proof notations . . . . .                                     | 18        |
| 2.3.2 Preliminary definitions . . . . .                             | 18        |
| 2.3.3 The behavior preservation theorem . . . . .                   | 19        |
| 2.3.4 The bisimulation theorem . . . . .                            | 22        |
| 2.4 A detailed proof: equivalence of fired transitions . . . . .    | 28        |
| 2.4.1 An accompanied journey along the proof . . . . .              | 29        |
| 2.4.2 A report on a bug detection . . . . .                         | 39        |
| 2.5 Mechanized verification of the proof . . . . .                  | 41        |
| 2.6 Conclusion . . . . .                                            | 44        |
| <b>A Semantic preservation proof</b>                                | <b>47</b> |
| A.1 Initial States . . . . .                                        | 47        |
| A.1.1 Initial states and marking . . . . .                          | 48        |
| A.1.2 Initial states and time counters . . . . .                    | 50        |
| A.1.3 Initial states and reset orders . . . . .                     | 51        |
| A.1.4 Initial states and condition values . . . . .                 | 53        |
| A.1.5 Initial states and action executions . . . . .                | 53        |
| A.1.6 Initial states and function executions . . . . .              | 54        |
| A.1.7 Initial states and fired transitions . . . . .                | 54        |

|       |                                             |     |
|-------|---------------------------------------------|-----|
| A.2   | First Rising Edge                           | 54  |
| A.2.1 | First rising edge and marking               | 56  |
| A.2.2 | First rising edge and time counters         | 56  |
| A.2.3 | First rising edge and reset orders          | 57  |
| A.2.4 | First rising edge and action executions     | 59  |
| A.2.5 | First rising edge and function executions   | 59  |
| A.2.6 | First rising edge and sensitization         | 60  |
| A.2.7 | First rising edge and condition combination | 61  |
| A.3   | Rising Edge                                 | 61  |
| A.3.1 | Rising edge and Marking                     | 61  |
| A.3.2 | Rising edge and condition combination       | 62  |
| A.3.3 | Rising edge and time counters               | 64  |
| A.3.4 | Rising edge and reset orders                | 65  |
| A.3.5 | Rising edge and action executions           | 72  |
| A.3.6 | Rising edge and function executions         | 72  |
| A.3.7 | Rising edge and sensitization               | 74  |
| A.4   | Falling Edge                                | 78  |
| A.4.1 | Falling Edge and marking                    | 78  |
| A.4.2 | Falling edge and time counters              | 83  |
| A.4.3 | Falling edge and condition values           | 89  |
| A.4.4 | Falling and action executions               | 89  |
| A.4.5 | Falling edge and function executions        | 91  |
| A.4.6 | Falling edge and firable transitions        | 92  |
| A.4.7 | Falling edge and fired transitions          | 102 |

# List of Figures

|     |                                                                                                                                      |    |
|-----|--------------------------------------------------------------------------------------------------------------------------------------|----|
| 1.1 | Example of conflict between two transitions . . . . .                                                                                | 2  |
| 1.2 | Example of two separate conflict groups . . . . .                                                                                    | 3  |
| 2.1 | Simulation diagrams . . . . .                                                                                                        | 8  |
| 2.2 | An example of bisimulation diagram . . . . .                                                                                         | 12 |
| 2.3 | Bisimulation diagram over one clock cycle for a source SITPN and a target $\mathcal{H}$ -VHDL design . . . . .                       | 25 |
| 2.4 | A set of fired transitions. . . . .                                                                                                  | 30 |
| 2.5 | The fired output port in the transition design architecture. . . . .                                                                 | 31 |
| 2.6 | Connection of the priority_authorizations ports and of the fired and output_transitions_fired ports between a PCI and a TCI. . . . . | 34 |
| 2.7 | The priority_authorizations output port in the place design architecture. . . . .                                                    | 34 |
| 2.8 | Connection between the priority_authorizations, output_transitions_fired and fired ports of a PCI and 3 TCIs. . . . .                | 36 |
| 2.9 | Bug Detection in the place and transition designs. . . . .                                                                           | 40 |



# List of Tables

|                                                                                                      |    |
|------------------------------------------------------------------------------------------------------|----|
| A.1 Constants and signals reference for the $\mathcal{H}$ -VHDL transition and place designs . . . . | 47 |
|------------------------------------------------------------------------------------------------------|----|



# List of Abbreviations

|              |                                                                   |
|--------------|-------------------------------------------------------------------|
| <b>SITPN</b> | Synchronously executed Interpreted Time Petri Net with priorities |
| <b>VHDL</b>  | Very high speed integrated circuit Hardware Description Language  |
| <b>PCI</b>   | Place Component Instance                                          |
| <b>TCI</b>   | Transition Component Instance                                     |
| <b>GPL</b>   | Generic Programming Language                                      |
| <b>HDL</b>   | Hardware Description Language                                     |



*For/Dedicated to/To my...*



## Chapter 1

# Implementation of the HILECOP high-level models

## 1.1 SITPN Definitions

### 1.1.1 SITPN Structure and Well-definition

#### SITPN Structure

**Definition 1** (SITPN). A synchronously executed, extended, generalized, interpreted, and time Petri net with priorities is a tuple

$\langle P, T, \text{pre}, \text{post}, M_0, \succ, \mathcal{A}, \mathcal{C}, \mathcal{F}, \mathbb{A}, \mathbb{C}, \mathbb{F}, I_s \rangle$ , where we have:

1.  $P = \{p_0, \dots, p_n\}$ , a finite set of places.
2.  $T = \{t_0, \dots, t_m\}$ , a finite set of transitions.
3.  $\text{pre} \in P \rightarrow T \rightsquigarrow (\mathbb{N}^* \times \{\text{basic, inhib, test}\})$ , the function associating a weight to place-transition edges.
4.  $\text{post} \in T \rightarrow P \rightsquigarrow \mathbb{N}^*$ , the function associating a weight to transition-place edges.
5.  $M_0 \in P \rightarrow \mathbb{N}$ , the initial marking of the SITPN.
6.  $\succ \subseteq (T \times T)$ , the priority relation which is a strict order over the set of transitions.
7.  $\mathcal{A} = \{a_0, \dots, a_n\}$ , a set of continuous actions.
8.  $\mathcal{C} = \{c_0, \dots, c_n\}$ , a set of conditions.
9.  $\mathcal{F} = \{f_0, \dots, f_n\}$ , a set of functions (discrete actions).
10.  $\mathbb{A} \in P \rightarrow \mathcal{A} \rightarrow \mathbb{B}$ , the function associating actions to places.  
 $\forall p \in P, \forall a \in \mathcal{A}, \mathbb{A}(p, a) = \text{true}$ , if  $a$  is associated to  $p$ ,  $\mathbb{A}(p, a) = \text{false}$  otherwise.
11.  $\mathbb{F} \in T \rightarrow \mathcal{F} \rightarrow \mathbb{B}$ , the function associating functions to transitions.  
 $\forall t \in T, \forall f \in \mathcal{F}, \mathbb{F}(t, f) = \text{true}$ , if  $f$  is associated to  $t$ ,  $\mathbb{F}(t, f) = \text{false}$  otherwise.
12.  $\mathbb{C} \in T \rightarrow \mathcal{C} \rightarrow \{-1, 0, 1\}$ , the function associating conditions to transitions.  
 $\forall t \in T, \forall c \in \mathcal{C}, \mathbb{C}(t, c) = 1$ , if  $c$  is associated to  $t$ ,  $\mathbb{C}(t, c) = -1$ , if  $\bar{c}$  is associated to  $t$ ,  $\mathbb{C}(t, c) = 0$  otherwise.
13.  $I_s \in T \rightsquigarrow \mathbb{I}^+$ , the partial function associating static time intervals to transitions, where  $\mathbb{I}^+ \subseteq (\mathbb{N}^* \times (\mathbb{N}^* \sqcup \{\infty\}))$ .  $T_i$  denotes the definition domain of  $I_s$ , i.e. the set of time transitions.

### Conflict Definition

In the definition of an SITPN, the priority relation is a mean to solve a situation of conflict in a pair of transitions. We will keep the definition of a conflict as simple as possible. Informally, the transitions of a pair are in conflict if they have a common input place, and if both are linked to this input place by a basic arc. Figure 1.1 depicts a situation of conflict between two transitions.

At some point of the execution of the SITPN, the marking possibly enables the two transitions of a conflicting pair in such a manner that the firing of one transition disables the other; then, the conflict is said to be *effective*. The behavior of PNs is fundamentally asynchronous, and a token can only be consumed by one transition. However, in a synchronous setting as the one of the SITPN, all transitions are first elected to be fired, and then all fired at the same time. Therefore, the situation can arise where a same token is consumed by two transitions, on behalf of them being transitions in effective conflict that are both elected to be fired (e.g., Figure 1.1). To prevent the phenomenon of “double spending”, the well-definition property of an SITPN enforces the resolution of all conflicts, i.e., to be able to decide which transition in a conflicting pair will be fired when the conflict becomes effective.



FIGURE 1.1: Example of conflict between two transitions

The formal definition of a conflict is as follows:

**Definition 2** (Conflict). *For a given  $\text{sitpn} \in \text{SITPN}$ , two transitions  $t, t' \in T$  are in conflict if and only if there exists a place  $p \in P$  such that  $p \in \text{input}(t) \cap \text{input}(t')$  and there exist  $n, m \in \mathbb{N}^*$  such that  $\text{pre}(p, t) = (n, \text{basic})$  and  $\text{pre}(p, t') = (m, \text{basic})$ .*

A conflict group qualifies a finite set of transitions that are all in conflict with each other through the same place. In Figure 1.1, the set  $\{t_0, t_1\}$  is a conflict group. The formal definition of a conflict group is as follows:

**Definition 3** (Conflict Group). *For a given  $\text{sitpn} \in \text{SITPN}$ ,  $T_c \subseteq T$  is a conflict group if and only if there exists a place  $p$  such that  $\forall t \in \text{output}(p), (\exists n \in \mathbb{N}^*, \text{pre}(p, t) = (n, \text{basic})) \Leftrightarrow t \in T_c$ .*

Contrary to the statement made in [11, p. 67], we no more consider the notion of conflict as being transitive. To illustrate this, Figure 1.2 shows two conflict groups:  $\{t_0, t_1\}$  and  $\{t_1, t_2\}$ . In a well-defined SITPN (see Section 1.1.1), all conflicts in a conflict group must be dealt with, i.e., for all pair of transitions in the group the conflict must be solved. However, we no more consider transitions  $t_0$  and  $t_2$  as in conflict. We argue that even when no conflict resolution technique is applied between transitions in the same situation as  $t_0$  and  $t_2$ , the execution of the SITPN can neither result in the double-spending of a token, nor in the case where a transition is not elected to be fired even though it ought to be. Therefore, we no more consider the construction of merged conflict group (i.e., conflict groups must be merged into one if their intersection is not empty; e.g.,  $\{t_0, t_1, t_2\}$  in Figure 1.2) as being necessary.



FIGURE 1.2: Example of two separate conflict groups

### Well-definition of an SITPN

A given  $sitpn \in SITPN$  is well-defined if it enforces some properties needed on the HILECOP source models before the transformation into VHDL. If the properties, layed out in Def. 4, are not ensured, they will lead to compile-time errors during the transformation into VHDL.

**Definition 4** (Well-defined SITPN). *A given  $sitpn \in SITPN$  is well-defined if and only if:*

- $T \neq \emptyset$ , the set of transitions must not be empty.
- $P \neq \emptyset$ , the set of places must not be empty.
- There is no isolated place, i.e. a place that has neither input nor output transitions:  
 $\nexists p \in P, \text{input}(p) = \emptyset \wedge \text{output}(p) = \emptyset$ , where  $\text{input}(p)$  (resp.  $\text{output}(p)$ ) denotes the set of input (resp. output) transitions of  $p$ .
- There is no isolated transition, i.e. a transition that has neither input nor output places:  
 $\nexists t \in T, \text{input}(t) = \emptyset \wedge \text{output}(t) = \emptyset$ , where  $\text{input}(t)$  (resp.  $\text{output}(t)$ ) denotes the set of input (resp. output) places of  $t$ .
- All conflicts must be solved by a mean of mutual exclusion: priority relation, mutually exclusive conditions, mutually exclusive time intervals, structural mutual exclusion.

#### 1.1.2 SITPN State

**Definition 5** (SITPN State). *For a given  $sitpn \in SITPN$ , let  $S(sitpn)$  be the set of possible states of  $sitpn$ . An SITPN state  $s \in S(sitpn)$  is a tuple  $\langle M, I, \text{reset}_t, ex, cond \rangle$ , where:*

1.  $M \in P \rightarrow \mathbb{N}$  is the current marking of  $sitpn$ .
2.  $I \in T_i \rightarrow \mathbb{N} \sqcup \{\psi\}$  is the function mapping time transitions to their current time counter value or to the value locked.
3.  $\text{reset}_t \in T_i \rightarrow \mathbb{B}$  is the function mapping time transitions to time interval reset orders (defined as Booleans).
4.  $ex \in \mathcal{A} \sqcup \mathcal{F} \rightarrow \mathbb{B}$  is the function representing the current activation (resp. execution) state of actions (resp. functions).
5.  $cond \in \mathcal{C} \rightarrow \mathbb{B}$  is the function representing the current value of conditions (defined as Booleans).

### 1.1.3 Fired Transitions

**Remark 1** (Relations between markings). *For all relation  $\mathcal{R}$  existing between two marking functions  $M$  and  $M'$ , the expression  $\mathcal{R}(M, M')$  is a notation for  $\forall p \in P, \mathcal{R}(M(p), M'(p))$ . For instance,  $M' = M - \sum_{t_i \in Pr(t)} pre(t_i)$  is a notation for  $\forall p \in P, M'(p) = M(p) - \sum_{t_i \in Pr(t)} pre(p, t_i)$ .*

**Remark 2** (Sum expressions and arc types). *Many times in this document, we need to express the number of tokens coming in or out of places, after the firing of a certain subset of transitions. To do so, we use two kinds of sum expression:*

1. *The first kind of expression computes a number of output tokens. For instance, for a given place  $p$ ,  $\sum_{t \in T'} pre(p, t)$  where  $T' \subseteq T$ . This expression is a notation for  $\sum_{t \in T'} \begin{cases} \omega & \text{if } pre(p, t) = (\omega, \text{basic}) \\ 0 & \text{otherwise} \end{cases}$ . Indeed, when computing a sum of output tokens (i.e., resulting of a firing process), we want to add to the sum the weight of the arc between place  $p$  and a transition  $t \in T'$  only if there exists an arc of type `basic` from  $p$  to  $t$  (remember that the test and inhibitor never lead to the withdrawal of tokens during the firing process). Otherwise, we add 0 to the sum as it is a neutral element of the addition operator over natural numbers.*
2. *The second kind expression computes a number of input tokens. For instance, for a given place  $p$ ,  $\sum_{t \in T'} post(p, t)$  where  $T' \subseteq T$ . This expression is a notation for  $\sum_{t \in T'} \begin{cases} \omega & \text{if } post(t, p) = \omega \\ 0 & \text{otherwise} \end{cases}$ . Here, we add the weight of the arc from  $t$  to  $p$  only if there exists such an arc; we add 0 to the sum otherwise.*

*Therefore, in the remainder of the document, we will use the conciser notations  $\sum_{t \in T'} pre(p, t)$  to denote output token sums, and  $\sum_{t \in T'} post(t, p)$  to denote input token sums.*

**Definition 6** (Sensitization). *A transition  $t \in T$  is said to be sensitized by a marking  $M$ , which is noted  $t \in Sens(M)$ , if and only if  $\forall p \in P, \omega \in \mathbb{N}^*, (pre(p, t) = (\omega, \text{basic}) \vee pre(p, t) = (\omega, \text{test})) \Rightarrow M(p) \geq \omega$ , and  $pre(p, t) = (\omega, \text{inhib}) \Rightarrow M(p) < \omega$ .*

**Definition 7** (Sensitization by test and basic arcs). *A transition  $t \in T$  is said to be sensitized by its basic and test arcs at a marking  $M$ , which is noted  $t \in Sens_{bt}(M)$ , if and only if  $\forall p \in P, \omega \in \mathbb{N}^*, (pre(p, t) = (\omega, \text{basic}) \vee pre(p, t) = (\omega, \text{test})) \Rightarrow M(p) \geq \omega$ .*

**Definition 8** (Firability). *A transition  $t \in T$  is said to be firable at a state  $s = \langle M, I, reset_t, ex, cond \rangle$ , which is noted  $t \in Firable(s)$ , if and only if  $t \in Sens(M)$ , and  $t \notin T_i$  or  $I(t) \in I_s(t)$ , and  $\forall c \in \mathcal{C}, \mathbb{C}(t, c) = 1 \Rightarrow cond(c) = 1$  and  $\mathbb{C}(t, c) = -1 \Rightarrow cond(c) = 0$ .*

**Definition 9** (Fired). *A transition  $t \in T$  is said to be fired at the SITPN state  $s = \langle M, I, reset_t, ex, cond \rangle$ , which is noted  $t \in Fired(s)$ , if and only if  $t \in Firable(s)$  and  $t \in Sens(M - \sum_{t_i \in Pr(t)} pre(t_i))$ , where  $Pr(t) = \{t_i \mid t_i \succ t \wedge t_i \in Fired(s)\}$ .*

### 1.1.4 SITPN Semantics

**Definition 10** (SITPN Semantics). *The semantics of an SITPN is the transition system  $\langle S, L, E, \rightsquigarrow \rangle$  where:*

- *S is the set of states of the SITPN.*

- $s_0 = < M_0, O_{\mathbb{N}}, O_{\mathbb{B}}, O_{\mathbb{B}}, O_{\mathbb{B}} >$  is the initial state of the SITPN, where  $M_0$  is the initial marking of the SITPN,  $O_{\mathbb{N}}$  is a function that always returns 0,  $O_{\mathbb{B}}$  is a function that always returns false.
- $L \subseteq Clk \times \mathbb{N}$  is the set of transition labels, where  $Clk \in \{\uparrow, \downarrow\}$ . A label is a couple  $(clk, \tau)$  composed of a clock event  $clk \in Clk$ , and a time value  $\tau \in \mathbb{N}$  expressing the current count of clock cycles.
- $E \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$  is the environment function, which gives (Boolean) values to conditions ( $\mathcal{C}$ ) depending on the count of clock cycles ( $\mathbb{N}$ ).
- $\rightsquigarrow \subseteq S \times L \times S$  is the state transition relation, which is noted  $E, \tau \vdash s \xrightarrow{clk} s'$  where  $s, s' \in S$  and  $(clk, \tau) \in L$ , and which is defined as follows:
  - $\forall \tau \in \mathbb{N}, E, \tau \vdash s \xrightarrow{\downarrow} s'$ , where  $s = < M, I, reset_t, ex, cond >$  and  $s' = < M, I', reset_t, ex', cond' >$ , if:
    - (1)  $cond'$  is the function giving the (Boolean) values of conditions that are extracted from the environment at the clock count  $\tau$ , i.e.:
 
$$\forall c \in \mathcal{C}, cond'(c) = E(\tau, c).$$
    - (2) All the actions associated with at least one marked place in the marking  $M$  are activated, i.e.:
 
$$\forall a \in \mathcal{A}, ex'(a) = \sum_{p \in \text{marked}(M)} \mathbb{A}(p, a) \text{ where } p \in \text{marked}(M) \equiv M(p) > 0.$$
    - (3) All the time transitions that are sensitized by the marking  $M$  and received the order to reset their time intervals, have their time counter reset and incremented, i.e.:
 
$$\forall t \in T_i, t \in \text{Sens}(M) \wedge reset_t(t) = 1 \Rightarrow I'(t) = 1.$$
    - (4) All the time transitions with active time counters that are sensitized by the marking  $M$  and did not receive a reset order, have their time counters incremented, i.e.:
 
$$\forall t \in T_i, t \in \text{Sens}(M) \wedge reset_t(t) = \text{false} \wedge (I(t) \leq upper(I_s(t)) \vee upper(I_s(t)) = \infty) \Rightarrow I'(t) = I(t) + 1.$$
    - (5) All the time transitions verifying the same conditions as above, but with locked counters, keep having locked counters, i.e.:
 
$$\forall t \in T_i, t \in \text{Sens}(M) \wedge reset_t(t) = \text{false} \wedge I(t) > upper(I_s(t)) \wedge upper(I_s(t)) \neq \infty \Rightarrow I'(t) = I(t).$$
    - (6) All the time transitions that are not sensitized by the marking  $M$  have their time counters set to zero, i.e.:
 
$$\forall t \in T_i, t \notin \text{Sens}(M) \Rightarrow I'(t) = 0.$$
    - $\forall \tau \in \mathbb{N}, E, \tau \vdash s \xrightarrow{\uparrow} s'$ , where  $s = < M, I, reset_t, ex, cond >$  and  $s' = < M', I, reset'_t, ex', cond' >$ , if:
      - (7)  $M'$  is the new marking resulting from the firing of all the transitions contained in  $\text{Fired}(s)$ , i.e.:
 
$$M' = M - \sum_{t \in \text{Fired}(s)} pre(t) + \sum_{t \in \text{Fired}(s)} post(t).$$
      - (8) A time transition receives a reset order if it is fired at state  $s$ , or, if there exists a place  $p$  connected to  $t$  by a basic or test arc and at least one output transition of  $p$  is fired and the transient marking

of  $p$  disables  $t$ ; no reset order is sent otherwise:

$$\begin{aligned} \forall t \in T_i, t \in Fired(s) \\ \vee (\exists p \in P, \omega \in \mathbb{N}^*, pre(p, t) = (\omega, \text{basic}) \vee pre(p, t) = (\omega, \text{test}) \\ \wedge \sum_{t_i \in Fired(s)} pre(p, t_i) > 0 \\ \wedge s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) < \omega) \Rightarrow reset'_t(t) = \text{true}, \\ \text{and } reset'_t(t) = \text{false otherwise.} \end{aligned}$$

(9) All functions associated with at least one fired transition are executed, i.e:

$$\forall f \in \mathcal{F}, ex'(f) = \sum_{t \in Fired(s)} \mathbb{F}(t, f).$$

### 1.1.5 SITPN Execution

**Definition 11** (SITPN Execution Cycle). For a given  $sitpn \in SITPN$ , two states  $s, s'' \in S(sitpn)$ , a clock cycle count  $\tau \in \mathbb{N}$ , and an environment  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $sitpn$  passes from state  $s$  to state  $s''$  in one clock cycle, written  $E, \tau \vdash sitpn, s \xrightarrow{\uparrow \downarrow} s''$  iff  $\exists s' \text{ s.t. } E_c, \tau \vdash sitpn, s \xrightarrow{\uparrow} s'$  and  $E_c, \tau \vdash sitpn, s' \xrightarrow{\downarrow} s''$ .

**Definition 12** (SITPN Execution). For a given  $sitpn \in SITPN$ , a starting state  $s \in S(sitpn)$ , a clock cycle count  $\tau \in \mathbb{N}$ , and an environment  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $sitpn$  yields the execution trace  $\theta$  from starting state  $s$ , written  $E_c, \tau \vdash sitpn, s \rightarrow \theta$ , by following the two rules below.

$$\frac{\text{EXECUTIONEND}}{E_c, 0 \vdash sitpn, s \rightarrow []} \quad \frac{\text{EXECUTIONLOOP} \quad E_c, \tau \vdash sitpn, s \xrightarrow{\uparrow} s' \quad E_c, \tau \vdash sitpn, s' \xrightarrow{\downarrow} s'' \quad E_c, \tau - 1 \vdash sitpn, s'' \rightarrow \theta}{E_c, \tau \vdash sitpn, s \rightarrow (s' :: s'' :: \theta)} \quad \tau > 0$$

**Definition 13** (SITPN Full Execution). For a given  $sitpn \in SITPN$ , a clock cycle count  $\tau \in \mathbb{N}$ , and an environment  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $sitpn$  yields the execution trace  $\theta$  starting from its initial state  $s_0 \in S(sitpn)$  (as defined in Def. 10), written  $E_c, \tau \vdash sitpn \rightarrow \theta$ , by following the two rules below.

$$\frac{\text{FULLEXEC0}}{E_c, 0 \vdash sitpn \xrightarrow{full} [s_0]} \quad \frac{\text{FULLEXECONS} \quad E_c, \tau \vdash s_0 \xrightarrow{\uparrow_0} s_0 \quad E_c, \tau \vdash s_0 \xrightarrow{\downarrow} s \quad E_c, \tau - 1 \vdash sitpn, s \rightarrow \theta_s}{E_c, \tau \vdash sitpn \xrightarrow{full} (s_0 :: s_0 :: s :: \theta_s)} \quad \tau > 0$$

## Chapter 2

# Proving semantic preservation in HILECOP

In this chapter, we present our semantic preservation theorem (or behavior preservation theorem, both denomination are equivalent) along with its informal “paper” proof. The written proof is about a hundred-page long after compilation of the L<sup>A</sup>T<sub>E</sub>X files. Therefore, we will only present here the “high-level” theorems and lemmas involved in the demonstration, and some points of our proof strategy. The full proof is available to the reader in Appendix A. The theorems and lemmas presented in this chapter will be referring to the lemmas of Appendix A. The structure of this chapter is as follows: in Section 2.1, we present our review of the literature pertaining to the proof of semantic preservation theorems for transformation functions; in Section 2.2, we detail our state similarity relation, i.e. the semantic bond between an SITPN and its  $\mathcal{H}$ -VHDL translation; in Section 2.3, we draw out our behavior preservation theorem; in Section 2.4, we detail a particular point of the proof related to the SITPN firing process, and leverage the opportunity to demonstrate our proof strategy; also, we show how this point of the proof has led to a bug detection in the code of the  $\mathcal{H}$ -VHDL transition design; in Section 2.5, we present some points of the mechanization of the proof with the Coq proof assistant.

### 2.1 Proofs of semantic preservation in the literature

In this section, we present the review of the literature pertaining to the verification of transformation functions. A transformation function is understood here as any kind of mapping from a source representation to a target representation, where the source and target representations possess a behavior of their own (i.e, they are executable). Here, we will focus on verification techniques based on the proof of semantic preservation theorems, with an extra interest when the proofs are mechanized within the framework of a proof assistant. We are interested in how to prove that transformation functions are semantic preserving. Especially, we are interested in the expression of semantic preservation theorems, i.e, what does one mean by semantic preservation, and in seeking usual proof strategies.

The goal is to draw our inspiration from the literature, and to see how far the correspondence holds between our specific case of transformation, and other cases of transformations. The material used for the literature review is divided in three categories. Each category covers a specific case of transformation function; the three categories are:

- Compilers for generic programming languages
- Compilers for hardware description languages

- Model-to-model and model-to-text transformations

In [12], X.Leroy presents the two points of major importance to express semantic preservation theorems for GPL compilers, and more generally to get the meaning of semantic preservation.

The first point is to clearly state how things are compared between the source and the target programs. It is to describe the runtime state of the source and the target, and to draw a correspondence between the two. This is expressed through a state comparison relation.

The second point is to relate the execution of the source program to the execution of the target program through a *simulation* diagram, equivalently named *bisimulation* or *commuting* diagram. Figure 2.1, excerpt from [12], shows the different kind of simulation diagrams possibly relating two programs.



FIGURE 2.1: Simulation diagrams relating the execution of a source program to the execution of a target program;  $S_1$  and  $S_2$  are the initial states of the source and the target program, and  $S'_1$  and  $S'_2$  are the final states of the source and target program, i.e. the states resulting of the execution of the two programs. The  $\sim$  symbol represents the state comparison relation between the source and target language states. The arrows represent the execution relation for the source and target program producing the observable execution trace  $t$ .

Choosing an adequate simulation diagram to express a semantic preservation theorem depends on the kind of possible behaviors that can exhibit a given program. In the case of GPL programs, X.Leroy lists three kinds of possible behaviors: either the program execution succeeds and returns a value, or the program execution fails and returns an error, or the program execution diverges. In the case where the source program execution succeeds, a theorem of semantic preservation takes the general form of Definition 14.

**Definition 14** (General behavior preservation theorem). *Consider a source programming language  $L_1$  and a target programming language  $L_2$ , and a source program  $P_1 \in L_1$  compiled into a target program  $P_2 \in L_2$  by compiler  $\text{comp} \in L_1 \rightarrow L_2$ . Consider an initial state  $S_1$  for program  $P_1$  and an initial state  $S_2$  for program  $P_2$  such that  $S_1$  and  $S_2$  are similar states w.r.t. to a given state comparison relation established between  $L_1$  and  $L_2$ . Then, compiler  $\text{comp}$  is semantic preserving if it verifies the following property:*

*If the execution of  $P_1$  leads from state  $S_1$  to final state  $S'_1$ , then there exists a final state  $S'_2$  resulting of the execution of program  $P_2$  from state  $S_2$  such that  $S'_1$  and  $S'_2$  are similar w.r.t. the state comparison relation.*

Compiler verification aims at proving the kind of theorem stated above. The other kind of task that can be applied to certify a compiler is to perform compiler validation. Compiler validation is interested in generating a proof of behavior preservation (or a counter-example showing that

behaviors diverge) for a given input program alongside the compilation process. Thus, for a given input program, the compiler yields a target program and the proof that the input and target have the same behavior. Exhibiting a theorem of semantic preservation is stronger than building a proof of semantic preservation for each input program. Therefore, compiler verification is stronger than compiler validation. The aim of the thesis is to perform compiler *verification* over the HILECOP methodology.

Now that we have clarified the meaning of semantic preservation for GPL compilers, we state that this definition of semantic preservation holds also for more general case of transformation from a source representation to a target representation. The only condition to be able to verify that a transformation is semantic preserving is that the source and target representation must have an execution semantics (i.e, the instances of the source and target representations must be executable).

For each article used in the literature review and presenting a specific case of transformation, the following questions have been asked:

- What are the similarities/differences between source and target representations? May they be programs of GPLs, or models of a given model formalism?
- How is defined the runtime state for the source and target representations?
- How is expressed the state comparison relation?
- How is stated the semantic preservation theorem?
- What is the employed proof strategy?

### 2.1.1 Compilers for generic programming languages

Taking the CompCert compiler as an example, the compilation pass from Clight programs to Cminor programs is described in [2, 12]. Clight is a subset of the C language, and Cminor is a low-level imperative language. The two languages are endowed with a big-step operational semantics. Here, the execution state of the source and target languages are memory models (of course, we are dealing with programming languages). The memory model consists in block references; each block has a lower and an upper bound. To access a data, one has to specify the block reference along with the size of the accessed data (i.e, the data type) and the offset from the start of the block reference (i.e, where to begin the data reading). About the proof of semantic preservation, the most difficult point is to relate the memory state of the source program to the memory state of the target program. To do so, the authors define a *memory injection* relation that binds the values of source and target together. They also establish a relation to compare execution environments, i.e, the environments holding the declaration of functions, global variables... The proof of semantic preservation is built incrementally. First, the authors prove a correctness lemma for the Clight expressions: if a Clight expression  $a$  evaluates to value  $v$ , then the translated Cminor expression  $[a]$  evaluates to value  $v$ . Then, they prove a similar lemma for Clight statements, and finally for an entire Clight program. The proof strategy is to reason by induction over the evaluation relation of the Clight programs, and to perform case analysis on the translation function.

The pattern to compiler verification for GPLs is more or less the same as presented above. May it be compilers for imperative languages [12, 15], or compilers for functional languages [7, 16], compiler verification proceeds as follows:

1. Establish a relation between the memory models of the source and target languages, and between the global execution environments.
2. Prove correctness lemmas starting from simple constructs, and building up incrementally to consider entire programs.
3. Reason by induction over the evaluation relation of the source language, and the translation function.

Relating memory models is more difficult when the gap between the source and target languages is important (for instance, the translation of Cminor programs into RTL programs in [12]). As a consequence, the complexity of the memory model comparison relation increases.

### 2.1.2 Compilers for hardware description languages

In the case of HDL compilers, proving semantic preservation is very similar to the case of GPL compilers. Of course, the difference lies in the semantics of HDL languages, and in the description of execution states. The semantics of HDLs is intrinsically related to the notion of execution over time, or over multiple clock cycles; indeed, we are dealing with reactive systems. Therefore, the semantic preservation theorems are formulated w.r.t. the synchronous or time-related semantics of the considered languages.

In [3, 5], the source language is a subset of the BlueSpec specification language for hardware synthesis, and the target language is an RTL representation of the circuit. The runtime state of the source and target programs are basically a mapping between registers to values. In [3], the execution state also hold a log of the read and write operations of the input program, and this log is compared to the log of the RTL representation. The semantic preservation theorem takes the general form of Definition 14, however, the final states refer to the states of source and target programs at the end of a clock cycle. Thus, the semantic preservation theorem states that starting from equal register stores after the execution of a source program and its RTL circuit after one clock cycle leads to equal register stores.

In [4], the source language is a subset of Lustre and the target language is imperative language called Obc. A Lustre program is composed of nodes; each node treats a set of input streams and publishes output streams after the computation of its statement body. In its statement body, a Lustre node possibly refer to instances of other nodes. In the compilation process, each Lustre node is translated into an Obc class. An Obc class hold a vector of variables composing its internal memory and a vector of other Obc class instances. The authors define a data flow semantics for the Lustre language; judgments of the semantics describe how output streams are computed based on input streams. Also, as we are dealing with hardware circuits, the semantics rules cover synchronous statements and combinational ones. On the side of the Obc language, the semantics define a function *step* that computes the execution the Obc classes over one clock cycle. To prove the semantic preservation theorem, the state comparison relation binds the values of input and output streams on one side to the values of variables and Obc class instances on the other side. The semantic preservation theorem is as follows: if a Lustre node yields the output stream  $o$  from an input stream  $i$ , then the iterative execution of the *step* function for the corresponding Obc class incrementally builds the output stream  $o$  given the values of the input stream  $i$ . The proof is done by induction over the clock step count, and by induction over the evaluation relation for the Lustre statements composing the body of nodes.

In [13], the HDL compiler translates Verilog modules into netlists. The execution state of Verilog module holds the value of the variables declared in the module. The execution state of a

netlist circuit holds the value of the registers declared in the circuit. Therefore, the state comparison relation used to state the semantic preservation theorem binds the values of variables on one side to the values of registers on the other side. The semantics of Verilog quite similar to the one of VHDL; a set of processes composing a module are executed w.r.t. the simulation semantics of the language, i.e., composed of synchronous and combinational execution steps. The semantics of netlists is set as a big-step operational semantics by means of an interpreter that runs a netlist list over  $n$  clock cycles. The semantic preservation theorem is as follows: Assuming that a module is transformed into a circuit, and that some well-formation hypotheses hold on the module, if the module executes without error, and yields a final state  $v_{env}$ , then there exists a final state  $c_{env}$  yielded by the execution of the circuit over  $n$  clock cycles s.t.  $v_{env}$  and  $c_{env}$  are similar according to the relation  $verilog\_netlist\_rel$ . Here, the  $verilog\_netlist\_rel$  is the state comparison relation.

In [19], the compiler transforms programs of the synchronous language SIGNAL into Synchronous Clock Guarded Actions programs (S-CGA programs). A SIGNAL program describes a set of processes; each process holds a set of equations describing the relation between signals. The equations can be synchronous equations (referring to a clock) or combinational ones. An S-CGA program defines a set of actions to be applied to some variables when some conditions (the guards) are met. The SIGNAL (resp. the S-CGA) language has been endowed with a trace semantics describing the computation of signal values (resp. variable values) over time. The authors describe a function to translate the traces of SIGNAL and S-CGA programs into a common trace model. Thus, the semantic preservation theorem is stated by comparing two traces of execution defined through the same model. The proof of the semantic preservation theorem is built incrementally. For each statement of a SIGNAL process, the authors exhibit a lemma proving that the trace resulting from the execution of the statement is equivalent to the trace resulting of the execution of the corresponding guarded actions (obtained through the compilation). The proof is fully mechanized within the Coq proof assistant.

In [10], the authors verify a methodology to design hardware models with SystemC models. SystemC models describe hardware systems with modules; a module is a C++ class with ports, data members and methods. The methodology describes a transformation from SystemC models to Abstract State Machine (ASM) thus enabling to model-check the hardware models. ASMs are described in the language AsmL; in AsmL, an ASM is implemented by a class with data members and methods. A denotational (fixpoint) semantics for SystemC models is defined along with a denotational semantics for AsmL. The semantics is another variant of simulation cycle, similar to all other synchronous languages. There are two phases: evaluate and update and the gap between the two is called a delta-delay. The execution state of a SystemC model is divided into a signal store, mapping signal to value, and a variable store, mapping variable to value. The execution state of an AsmL class is only composed of a variable store. The theorem of semantic preservation states that, after translation, a SystemC model has the same *observational* behavior than its corresponding AsmL class. What is compared between a SystemC model and its corresponding AsmL class through their observational behavior is the activity of the processes of the first one and the activity of the methods of the second one. Processes and methods must be active at the same delta cycles. Therefore, what is compared here are not the values that the execution states hold, but rather the activity of the source and target programs.

### 2.1.3 Model transformations

Regarding model transformations, a lot of works consider semantic preservation as the preservation of structural properties in the transformed model [1, 6, 14].

Still, there are many cases where the source model and the target one have both an execution semantics. In these cases, the authors are interested in proving that the transformation is semantic preserving by showing that the computation of the source model and the target model follow a commuting diagram (see Figure 2.1).

In [8] and [18], the authors are interested in giving a translational semantics to a given model having itself a reference execution semantics. In [8], the source models are called xSpem models; they describe a set of *activities* that exchange resources and hold an internal state. The target models are PNs. Both xSpem models and PNs have a state transition semantics. The state comparison is performed by checking the correspondence between each current status of the activities described in an xSpem model and the marking of the PN. Then, the authors prove a bisimulation theorem, illustrated in Figure 2.2.



FIGURE 2.2: Bisimulation diagram relating an xSpem model execution and a Petri net execution

In Figure 2.2, on the right side of the diagram, i.e., the Petri net side, one can see that a Petri net possibly performs many internal actions (represented by the arrow  $\xrightarrow{\tau^*}$ ) before and after executing the computation step that is of interest for the proof (i.e., action  $\lambda$ ). The proof is performed by reasoning by induction on the structure of the xSpem models, and then by reasoning of the state transition semantics of xSpem models and PNs.

In [18], the authors describe a transformation from a model of the AADL formalism (Architecture Analysis and Design Language) to a particular kind of Abstract State Machine (ASM) called Timed Abstract State Machines (TASM). To verify that the transformation is semantic preserving, the authors define the semantics of AADL models and TASMs through Timed Transition Systems (TTSs). Thus, the execution state of an AADL model is the execution state of the corresponding TTS, and the same holds for a TASM. Comparing the state of two TTSs is easier than comparing the state of two different models, thus having two different definitions. Then, the authors prove a strong bisimulation theorem to verify that the transformation is semantic preserving. The whole proof is mechanized within the Coq proof assistant.

In [9], the authors describe a transformation from LLVM-labelled Petri nets to LLVM programs, where LLVM is low-level assembly language. Precisely, the generated LLVM program implements the state space of the source Petri net (i.e., the graph of reachable markings). The authors want to verify if an LLVM program truly implements the PN state space, i.e., if each marking present in the PN state space can be reached by running a specific  $fire_t$  function on the generated LLVM program. The state of an LLVM program is defined by a memory model composed of a heap and a stack. The marking of an LLVM-labelled PN is defined in such a manner that the correspondence with the LLVM program memory model is straight-forward. The PN model has a classical firing

semantics, and LLVM programs follow a small-step operational semantics. The semantic preservation theorem states that for all transition  $t$  being fired, leading from marking  $M$  to marking  $M'$ , then applying running the  $\text{fire}_t$  function over the generated LLVM program at state  $LM$  (such that  $LM$  implements marking  $M$ ) leads to a new state  $LM'$ , such that  $LM'$  implements marking  $M'$ . To prove this theorem, the authors proceed by induction on the number of places of the input Petri net.

#### 2.1.4 Discussions on transformations and proof strategies

In this thesis, we are interested in the verification of a semantic preservation property for a given transformation function . To achieve this kind of proof task, the proceedings are quite similar, at least in the three cases of transformation presented above (i.e, GPL compilation, HDL compilation and model transformations). Even though the source and target languages or models are different from one case of transformation to the other, however, semantic preservation theorems carry the same structure, i.e the one presented in Definition 14. The state comparison relation and the choice of the commuting diagram (i.e. how much computational steps of the target representation correspond to one computational step of the source representation) are the two angular stones of the process.

One can notice that when verifying the transformation of HDL programs, the semantic preservation theorems are expressed around a time-related computational step. It can either be a clock cycle, or another kind of time step. The state equivalence checking is made at the end this time-related computational step. This differs from the expression of behavior preservation theorems for GPLs, where a computational step is not related to time, but rather expresses the one-time computation of programs.

Concerning proof strategies, in the case of programming languages, proving the semantic preservation theorems are systematically done by induction over the semantics relations of the source and target languages, and by reasoning on the translation function. The semantics relations are themselves defined by following the inductive structure of the language ASTs. In the case of model transformations, when the source model permits it, the proofs are performed similarly by applying inductive reasoning over the structure of the input model. This enables compositional reasoning, i.e: to split the difficulty of proving the semantic preservation theorem into simpler lemmas about the execution of simpler programs or simple model structures.

## 2.2 The state similarity relation

Before presenting our behavior preservation theorem, we must clarify the meaning of semantic preservation between an SITPN and a  $\mathcal{H}$ -VHDL design. To do so, we must define:

1. What does semantic similarity mean between an SITPN state and a  $\mathcal{H}$ -VHDL state?
2. When, in the course of the execution of an SITPN and a  $\mathcal{H}$ -VHDL design, does this semantic similarity must hold?

We must relate the elements that constitute the execution state of an SITPN to the elements that constitute the execution state of a  $\mathcal{H}$ -VHDL design. An SITPN state is an abstract structure relating the places, transitions, actions, functions and conditions of a given SITPN to the values of certain domains (see Section ). A  $\mathcal{H}$ -VHDL design state is composed a signal store mapping signals to values, and of a component store mapping component instances to their own internal

Add ref.

states (which are themselves design states). Thanks to the binder function  $\gamma$  generated alongside the transformation from an SITPN to a  $\mathcal{H}$ -VHDL design, we are able to relate the elements of the SITPN structure to the component instance states and signal values of the  $\mathcal{H}$ -VHDL design state. Thus, the state similarity relation, depending on a  $\gamma$  binder and expressing a semantic match between an SITPN state and a  $\mathcal{H}$ -VHDL design, is defined as follows:

**Definition 15** (General state similarity). *For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ , and a binder  $\gamma \in WM(sitpn, d)$ , an SITPN state  $s \in S(sitpn)$  and a design state  $\sigma \in \Sigma(\Delta)$  are similar, written  $\gamma \vdash s \sim \sigma$  iff*

1.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, s.M(p) = \sigma(id_p)(“s_marking”).$
2.  $\forall t \in T_i, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(upper(I_s(t)) = \infty \wedge s.I(t) \leq lower(I_s(t))) \Rightarrow s.I(t) = \sigma(id_t)(“s_time_counter”))$   
 $\wedge (upper(I_s(t)) = \infty \wedge s.I(t) > lower(I_s(t))) \Rightarrow \sigma(id_t)(“s_time_counter”) = lower(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s.I(t) > upper(I_s(t))) \Rightarrow \sigma(id_t)(“s_time_counter”) = upper(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s.I(t) \leq upper(I_s(t))) \Rightarrow s.I(t) = \sigma(id_t)(“s_time_counter”)).$
3.  $\forall t \in T_i, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, s.reset_t(t) = \sigma(id_t)(“s_reinit_time_counter”).$
4.  $\forall c \in C, id_c \in Ins(\Delta) \text{ s.t. } \gamma(c) = id_c, s.cond(c) = \sigma(id_c).$
5.  $\forall a \in A, id_a \in Outs(\Delta) \text{ s.t. } \gamma(a) = id_a, s.ex(a) = \sigma(id_a).$
6.  $\forall f \in F, id_f \in Outs(\Delta) \text{ s.t. } \gamma(f) = id_f, s.ex(f) = \sigma(id_f).$

In Item 1, based on the  $\gamma$  binder, we relate the marking value of a place  $p$  at state  $s$  to the value of the  $s\_marking$  signal inside the internal state of the place component instance (PCI)  $id_p$ . The expression  $\sigma(id_p)$  returns the internal state of PCI  $id_p$  by looking up the component store of state  $\sigma$ . Items 2 and 3 similarly relate the value of time counters (resp. reset orders) of transitions to the value of the signals  $s\_time\_counter$  (resp.  $s\_reinit\_time\_counter$ ) in the internal state of the corresponding transition component instances (TCIs). In item 4 (resp. 5 and 6), the boolean value of conditions (resp. actions and functions) are compared to the value of input (resp. output) ports of the  $\mathcal{H}$ -VHDL design, also based on the  $\gamma$  binder.

As one can observe in Item 2, the relation between the value of a time counter and the value of the  $s\_time\_counter$  signal is a particular. It is due to the definition domain of time intervals. In the definition of the SITPN structure, a time interval  $i$  is defined as follows:  $i = [a, b]$  where  $a \in \mathbb{N}^*$  and  $b \in \mathbb{N}^* \sqcup \{\infty\}$ . In the SITPN semantics, depending on certain conditions, a time counter possibly increments its value until it reaches the upper bound of the associated time interval. Therefore, a time counter associated to a time interval with an infinite upper bound will possibly increment its value indefinitely. While acceptable in the theoretical world, this is not acceptable in the world of hardware circuits where all dimensions and values are finite. On the  $\mathcal{H}$ -VHDL side, the signal  $s\_time\_counter$ , which value represents the value of a time counter, will stop its incrementation to the lower bound of the time interval in the case where the upper bound is infinite. As long as the value of the time counter is less than or equal to the lower bound of the time interval, we look for a perfect equality between the value of the time counter and the value of the  $s\_time\_counter$  signal. When the time counter reaches the lower bound, the values possibly diverge (i.e, the time counter value continues to be incremented while the value of the  $s\_time\_counter$  signal stalls). In that case, we are only interested in knowing that the value of the  $s\_time\_counter$  signal is equal to the value of the lower bound of the time interval. The two last

points of Item 2 are necessary to cover the case where a time counter has overreached the upper bound of its time interval. In that case, the time counter becomes *locked*. The `s_time_counter` signal can not overreached the upper bound of the time interval without causing an overflow. Thus, the value of the `s_time_counter` signal diverges from the value of its corresponding time counter when the time counter overreaches the upper bound of its time interval. While the time counter is less than or equal to the upper bound of its time interval, we look for a perfect equality between the value of the time counter and the value of the `s_time_counter` signal. When the time counter overreaches the upper bound, the value of the time counter stalls to upper bound plus one, and the value of `s_time_counter` stalls to upper bound. In that case, we are only interested in knowing that the value of the `s_time_counter` signal is equal to the value of the upper bound of the time interval.

The second question that we asked above was: when does the state similarity relation must hold in the course of the execution? The source and target representations are both synchronously executed. Thus, we find it natural to check that the state similarity relation holds at the end of a clock cycle. However, due to modifications resulting after a bug detection (see Section 2.4), the state similarity relation of Definition 2.2 does not hold at the end of a clock cycle. The equality between the value of reset orders and the value of the `s_reinit_time_counter` signals (Item 3) is not verified. However, this semantic divergence is without effect. New reset orders are computed at the beginning of a clock cycle such that the relation of Item 3 holds in the middle of the clock cycle (i.e, just before the falling edge of the clock). This is the only moment during the clock cycle where the `s_reinit_time_counter` signal is actually involved in the computation of other signals value. Thus, it is sufficient that Item 3 holds only in the middle of the clock cycle. However, we must now define two state similarity relation; one that checks the semantic similarity after the rising edge of the clock signal (i.e, in the middle of the clock cycle), and one that checks the semantic similarity after the falling edge of the clock signal (i.e, at the end of the clock cycle). The state similarity relation after a rising edge is defined as follows:

**Definition 16** (Post rising edge state similarity). *For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ , and a binder  $\gamma \in WM(sitpn, d)$ , an SITPN state  $s \in S(sitpn)$  and a design state  $\sigma \in \Sigma(\Delta)$  are similar after a rising edge happening, written  $\gamma \vdash s \xrightarrow{\uparrow} \sigma$  iff*

1.  $\forall p \in P, id_p \in Comps(\Delta)$  s.t.  $\gamma(p) = id_p, s.M(p) = \sigma(id_p)(\text{"s_marking"})$ .
2.  $\forall t \in T_i, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t,$   
 $(upper(I_s(t)) = \infty \wedge s.I(t) \leq lower(I_s(t))) \Rightarrow s.I(t) = \sigma(id_t)(\text{"s_time_counter"})$   
 $\wedge (upper(I_s(t)) = \infty \wedge s.I(t) > lower(I_s(t))) \Rightarrow \sigma(id_t)(\text{"s_time_counter"}) = lower(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s.I(t) > upper(I_s(t))) \Rightarrow \sigma(id_t)(\text{"s_time_counter"}) = upper(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s.I(t) \leq upper(I_s(t))) \Rightarrow s.I(t) = \sigma(id_t)(\text{"s_time_counter"}).$
3.  $\forall t \in T_i, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t, s.reset_t(t) = \sigma(id_t)(\text{"s_reinit_time_counter"})$ .
4.  $\forall a \in A, id_a \in Outs(\Delta)$  s.t.  $\gamma(a) = id_a, s.ex(a) = \sigma(id_a)$ .
5.  $\forall f \in F, id_f \in Outs(\Delta)$  s.t.  $\gamma(f) = id_f, s.ex(f) = \sigma(id_f)$ .

Definition 16 is similar to Definition 15 in all points, except for the value of conditions. A condition of an SITPN is implemented by an input port in the resulting  $\mathcal{H}$ -VHDL top-level design. In the  $\mathcal{H}$ -VHDL semantics, the value of primary input ports (i.e, the input ports of the top-level design) are updated at each clock edge. In the SITPN semantics, the value of conditions are updated only at the falling edge of the clock. Consider that a given SITPN is executed at clock cycle

$\tau$ ; after the rising edge of the clock, the value of conditions are equal to their value at clock cycle  $\tau - 1$ , whereas the value primary input ports have been updated to fresh values. Thus, we will have to wait for the next falling edge to reach the equality between condition values and input port values. Therefore, there is a semantic divergence between the value of conditions and the value of input ports in the middle of the clock cycle, i.e. just before the next falling edge of the clock signal. However, similarly to the case of reset orders and `s_reinit_time_counter` signals, conditions and their corresponding input ports are only involved in computations at the falling edge of the clock cycle. Thus, it is sufficient that Item 4 holds only right after the falling of the clock signal.

The state similarity relation draws out a correspondence between the values hold by an SITPN state and the values of the signals declared in a  $\mathcal{H}$ -VHDL design state. However, to complete the proof of semantic preservation, we sometimes have to relate the value of signals to the value of expressions or predicates involved in the SITPN semantics. For instance, consider a given SITPN state  $s$  and a given  $\mathcal{H}$ -VHDL design state  $\sigma$ , and consider a transition  $t$  and its corresponding TCI  $id_t$ . It is useful to show that, after a rising edge, the value of signal `s_enabled` at state  $\sigma(id_t)$ , where  $\sigma(id_t)$  denotes the internal state of component instance  $id_t$  at state  $\sigma$ , is equal to the predicate  $t \in Sens(s.M)$  stating that the transition  $t$  is sensitized (or *enabled*) by the marking at state  $s$  (i.e,  $s.M$ ). Thus, for the convenience of the proof, we enrich our definitions of the state similarity relations with formulas relating  $\mathcal{H}$ -VHDL signals to SITPN semantics predicates and expressions. Consequently, the *full* post rising edge state similarity relation is defined as follows:

**Definition 17** (Full post rising edge state similarity). *For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ , and a binder  $\gamma \in WM(sitpn, d)$ , a clock cycle count  $\tau \in \mathbb{N}$ , and an SITPN execution environment  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ , an SITPN state  $s \in S(sitpn)$  and a design state  $\sigma \in \Sigma(\Delta)$  are fully similar after a rising edge happening at clock cycle count  $\tau$ , written  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$  iff  $\gamma \vdash s \xrightarrow{\uparrow} \sigma$  (Definition 16) and*

1.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in Sens(s.M) \Leftrightarrow \sigma(id_t)(“s\_enabled”) = \text{true}$ .
2.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \notin Sens(s.M) \Leftrightarrow \sigma(id_t)(“s\_enabled”) = \text{false}$ .
3.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$

$$\sigma(id_t)(“s\_condition\_combination”) = \prod_{c \in cond(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

where  $cond(t) = \{c \in \mathcal{C} \mid \mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1\}$ .

Definition 17 extends Definition 16 with the correspondence of the sensitization of transitions and the value of signal `s_enabled`, and the computation of the boolean product of condition values and the value of signal `s_condition_combination`.

Now, let us define the state similarity relation describing how things must be compared between an SITPN state and a  $\mathcal{H}$ -VHDL design state after the falling edge of a clock signal:

**Definition 18** (Post falling edge state similarity). *For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ , and a binder  $\gamma \in WM(sitpn, d)$ , an SITPN state  $s \in S(sitpn)$  and a design state  $\sigma \in \Sigma(\Delta)$  are similar after a falling edge, written  $\gamma \vdash s \xrightarrow{\downarrow} \sigma$  iff*

1.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, s.M(p) = \sigma(id_p)(“s\_marking”)$ .

2.  $\forall t \in T_i, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(upper(I_s(t)) = \infty \wedge s.I(t) \leq lower(I_s(t))) \Rightarrow s.I(t) = \sigma(id_t)(\text{"s\_time\_counter"})$   
 $\wedge (upper(I_s(t)) = \infty \wedge s.I(t) > lower(I_s(t))) \Rightarrow \sigma(id_t)(\text{"s\_time\_counter"}) = lower(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s.I(t) > upper(I_s(t))) \Rightarrow \sigma(id_t)(\text{"s\_time\_counter"}) = upper(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s.I(t) \leq upper(I_s(t))) \Rightarrow s.I(t) = \sigma(id_t)(\text{"s\_time\_counter"}).$
3.  $\forall c \in C, id_c \in Ins(\Delta) \text{ s.t. } \gamma(c) = id_c, s.cond(c) = \sigma(id_c).$
4.  $\forall a \in A, id_a \in Outs(\Delta) \text{ s.t. } \gamma(a) = id_a, s.ex(a) = \sigma(id_a).$
5.  $\forall f \in F, id_f \in Outs(\Delta) \text{ s.t. } \gamma(f) = id_f, s.ex(f) = \sigma(id_f).$

As explained above, Definition 18 is similar to Definition 15 except for the equality between reset orders and the value of the *s\_reinit\_time\_counter* signals. The extended version of the post falling edge state similarity relation is defined as follows:

**Definition 19** (Full post falling edge state similarity). *For a given sitpn  $\in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ , and a binder  $\gamma \in WM(sitpn, d)$ , an SITPN state  $s \in S(sitpn)$  and a design state  $\sigma \in \Sigma(\Delta)$  are fully similar after a falling edge, written  $\gamma \vdash s \approx^{\downarrow} \sigma$  iff  $\gamma \vdash s \approx \sigma$  (Definition 18) and*

1.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in Firable(s) \Leftrightarrow \sigma(id_t)(\text{"s\_firable"}) = \text{true}.$
2.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \notin Firable(s) \Leftrightarrow \sigma(id_t)(\text{"s\_firable"}) = \text{false}.$
3.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in Fired(s) \Leftrightarrow \sigma(id_t)(\text{"fired"}) = \text{true}.$
4.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \notin Fired(s) \Leftrightarrow \sigma(id_t)(\text{"fired"}) = \text{false}.$
5.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, \sum_{t \in Fired(s)} pre(p, t) = \sigma(id_p)(\text{"s\_output\_token\_sum"}).$
6.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, \sum_{t \in Fired(s)} post(t, p) = \sigma(id_p)(\text{"s\_input\_token\_sum"}).$

Definition 19 extends Definition 18 by drawing out a correspondence between:

- the firability of transitions and the value of the signal *s\_firable*
- the firing status of transitions (i.e, transitions are fired or not) and the value of the output port *fired*
- the sum of tokens consumed by the firing process and the value of the signal *s\_output\_token\_sum*
- the sum of tokens produced by the firing process and the value of the signal *s\_input\_token\_sum*

## 2.3 Behavior preservation theorem

In this section, we lay out the major theorems and lemmas stating that the HILECOP transformation function is semantic preserving. We also present the informal proofs for these theorems and lemmas.

### 2.3.1 Proof notations

To add some readability to our proofs, we use the following notations:

- The most recent framed box above the point of reading denotes the current pending goal (what we are currently trying to prove):  $\boxed{\forall n \in \mathbb{N}, n > 0 \vee n = 0}$
- A red framed box denotes a completed goal (i.e. equivalent to QED):  $\text{true} = \text{true}$
- A green framed box denotes the current induction hypothesis:

$$\boxed{\forall n \in \mathbb{N}, n + 1 > 0}$$

- The mention **CASE** directly follows an item bullet to denote a case during a proof by case analysis.

During a proof, we constantly refer to the names of the constants and signals declared in the  $\mathcal{H}$ -VHDL place and transition designs. Some constants and signals have very long names, and therefore we use aliases to refer to them in the following proofs. Table A.1 gives the full correspondence between constants and signals, and their aliases. Also, during a proof and when there is no ambiguity,  $id_p$  (resp.  $id_t$ ) denotes the PCI (resp. TCI) identifier associated to a given place  $p$  (resp. transition  $t$ ) through  $\gamma(p) = id_p$  (resp.  $\gamma(t) = id_t$ ), where  $\gamma$  is the binder returned by the transformation function. Similarly,  $id_c$  (resp.  $id_a$  and  $id_f$ ) denotes the input port (resp. output port) identifier associated to a given condition  $c$  (resp. action  $a$  and function  $f$ ) through  $\gamma(c) = id_c$ .

### 2.3.2 Preliminary definitions

We define here some relations that are necessary to formalize our theorem of behavior preservation.

In an SITPN, the conditions associated to transitions receive fresh Boolean values from an execution environment at each falling edge of the clock. During the simulation of a top-level design, the input ports of the design receive fresh values from a simulation environment at each clock event. The transformation function generates an input port in the top-level design that will reproduce the behavior of a given SITPN condition. The binder  $\gamma$ , generated alongside the top-level design, relates a given condition  $c$  to its corresponding input port identifier  $id_c$ . To compare the execution/simulation traces of an SITPN and a  $\mathcal{H}$ -VHDL design, we must assume that the execution/simulation environments assign similar values to conditions and to their corresponding input ports at a given clock cycle. Definition 20 states that the execution environment for a given SITPN and the simulation environment for a given  $\mathcal{H}$ -VHDL design are similar.

**Definition 20** (Similar environments). *For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , a design store  $\mathcal{D} \in entity-id \rightarrow design$ , an elaborated version  $\Delta \in ElDesign(d, \mathcal{D})$  of design  $d$ , and a binder  $\gamma \in WM(sitpn, d)$ , the environment  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ , that yields the value of the primary input ports of  $\Delta$  at a given simulation cycle and a given clock event, and the environment  $E_c$ , that yields the value of conditions of  $sitpn$  at a given execution cycle, are similar, noted  $\gamma \vdash E_p \stackrel{env}{=} E_c$ , iff for all  $\tau \in \mathbb{N}$ ,  $clk \in \{\uparrow, \downarrow\}$ ,  $c \in \mathcal{C}$ ,  $id_c \in Ins(\Delta)$  s.t.  $\gamma(c) = id_c$ ,  $E_p(\tau, clk)(id_c) = E_c(\tau)(c)$ .*

Definition 20 also states that every input port of the top-level design related to a SITPN condition by the  $\gamma$  binder has a stable boolean value during a whole clock cycle. That is to say, in the context of Definition 20, there exists no  $id_c$  such that  $E_p(\tau, \uparrow)(id_c) \neq E_p(\tau, \downarrow)(id_c)$ .

To prove that the behavior of an SITPN and a  $\mathcal{H}$ -VHDL design are similar, we want to compare the states composing their execution/simulation traces. As a reminder, an execution/simulation trace is a time-ordered list of states describing the evolution of a given SITPN or  $\mathcal{H}$ -VHDL design through a certain number of clock cycles. The relation presented in Definition 21 permits to compare such traces.

**Definition 21** (Execution trace similarity). *For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ , and a binder  $\gamma \in WM(sitpn, d)$ , the execution trace  $\theta_s \in list(S(sitpn))$  and the simulation trace  $\theta_{\sigma} \in list(\Sigma(\Delta))$  are similar, written  $\gamma \vdash \theta_s \xrightarrow{clk} \theta_{\sigma}$ , where  $clk \in \{\uparrow, \downarrow\}$ , according to the following rules:*

$$\frac{\text{SIMTRACENIL}}{\gamma \vdash [] \xrightarrow{clk} []} \quad \frac{\text{SIMTRACE}\uparrow}{\gamma \vdash s \sim \sigma \quad \gamma \vdash \theta_s \xrightarrow{\uparrow} \theta_{\sigma}} \quad \frac{\text{SIMTRACE}\downarrow}{\gamma \vdash s \sim \sigma \quad \gamma \vdash \theta_s \xrightarrow{\downarrow} \theta_{\sigma}}$$

$$\frac{}{\gamma \vdash (s :: \theta_s) \xrightarrow{\uparrow} (\sigma :: \theta_{\sigma})} \quad \frac{}{\gamma \vdash (s :: \theta_s) \xrightarrow{\downarrow} (\sigma :: \theta_{\sigma})}$$

In Definition 21, the clock event symbol on top of the  $\sim$  sign indicates the kind of clock event that led to the production of the states at the head of the traces. The execution trace similarity relation expects that the states composing the traces have been alternatively produced by a rising edge step and then by a falling edge step. By construction, the traces must have the same length to respect the execution trace similarity relation.

To handle the case of an execution/simulation trace beginning by an initial state, that is, a state neither reached after a rising nor after falling edge, we give a slightly different definition of the execution trace similarity relation in Definition 22.

**Definition 22** (Full execution trace similarity). *For a given  $sitpn \in SITPN$ , a  $\mathcal{H}$ -VHDL design  $d \in design$ , an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ , and a binder  $\gamma \in WM(sitpn, d)$ , the execution trace  $\theta_s \in list(S(sitpn))$  and the simulation trace  $\theta_{\sigma} \in list(\Sigma(\Delta))$  are fully similar, written  $\gamma \vdash \theta_s \sim \theta_{\sigma}$ , according to the following rules:*

$$\frac{\text{FULLSIMTRACENIL}}{\gamma \vdash [] \sim []} \quad \frac{\text{FULLSIMTRACECONS}}{\gamma \vdash s \sim \sigma \quad \gamma \vdash \theta_s \xrightarrow{\uparrow} \theta_{\sigma}} \quad \frac{}{\gamma \vdash (s :: \theta_s) \sim (\sigma :: \theta_{\sigma})}$$

The full execution trace similarity relation indicates that the head states of traces must verify the general state similarity relation, and that the tail of the traces must respect the execution state similarity relation starting with a rising edge step.

### 2.3.3 The behavior preservation theorem

Theorem 1 expresses our behavior preservation theorem. Theorem 1 states that the HILECOP transformation function is semantic preserving when the input model is a well-defined SITPN (see Definition 4). As a complementary task, we could show that if the transformation function returns a couple  $\mathcal{H}$ -VHDL design and binder, and not an error, then the input SITPN is well-defined. To prove Theorem 1, we must first exhibit an elaborated version of the returned  $\mathcal{H}$ -VHDL design (Theorem 2), an initial state (Theorem 3), and a simulation trace over  $\tau$  simulation cycles (Theorem 4). Finally, we can establish that the behaviors are similar by comparing the respective SITPN execution and  $\mathcal{H}$ -VHDL simulation traces (Theorem 5). In this thesis, we are focusing on the proof that the execution/simulation traces are similar when they are produced by the SITPN execution relation and the  $\mathcal{H}$ -VHDL simulation relation over  $\tau$  clock cycles. This corresponds to the proof of Theorem 5. For now, we choose to consider Theorems 2, 3 and 4 as axioms.

**Theorem 1** (Behavior preservation). *For all well-defined  $sitpn \in SITPN$ , an  $\mathcal{H}$ -VHDL design  $d \in design$ , a binder  $\gamma \in WM(sitpn, d)$ , a clock cycle count  $\tau \in \mathbb{N}$ , a execution environment  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$  and an execution trace  $\theta_s \in list(S(sitpn))$  s.t.*

- *SITPN sitpn translates into  $\mathcal{H}$ -VHDL design  $d$  and yields a binder  $\gamma$ :  $[sitpn]_{\mathcal{H}} = (d, \gamma)$*
- *SITPN sitpn yields the execution trace  $\theta_s$  after  $\tau$  execution cycles in environment  $E_c$ :*  

$$E_c, \tau \vdash sitpn \xrightarrow{full} \theta_s$$

*then there exists an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$  s.t. for all simulation environment  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ , verifying*

- *Simulation/Execution environments are similar:  $\gamma \vdash E_p \stackrel{env}{=} E_c$*

*then there exists a simulation trace  $\theta_{\sigma} \in list(\Sigma(\Delta))$  s.t.*

- *Under the HILECOP design store  $\mathcal{D}_{\mathcal{H}}$  and with an empty generic constant dimensioning function ( $\emptyset$ ), design  $d$  yields the simulation trace  $\theta_{\sigma}$  after  $\tau$  simulation cycles:*  

$$\mathcal{D}_{\mathcal{H}}, \Delta, \emptyset, E_p, \tau \vdash d \xrightarrow{full} \theta_{\sigma}$$
- *Traces  $\theta_s$  and  $\theta_{\sigma}$  are fully similar:  $\theta_s \sim \theta_{\sigma}$*

*Proof.* Given a  $sitpn \in SITPN$ , a  $d \in design$ , a  $\gamma \in WM(sitpn, d)$ , a  $\tau \in \mathbb{N}$ , an  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$  and a  $\theta_s \in list(S(sitpn))$ , let us show that

$$\exists \Delta, \forall E_p, \gamma \vdash E_p \stackrel{env}{=} E_c, \exists \theta_{\sigma} \text{ s.t. } \mathcal{D}_{\mathcal{H}}, \Delta, \emptyset, E_p, \tau \vdash d \xrightarrow{full} \theta_{\sigma} \wedge \theta_s \sim \theta_{\sigma}$$

Appealing to Theorems 2, 3 and 4, let us take an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ , two design states  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$ , and a simulation trace  $\theta_{\sigma} \in$  such that:

- $\Delta$  is the elaborated version of design  $d$ , and  $\sigma_e$  is the default design state of  $\Delta$ :

$$\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{elab} (\Delta, \sigma_e)$$

- $\sigma_0$  is the initial simulation state:  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma_e \vdash d.cs \xrightarrow{init} \sigma_0$
- Design  $d$  yields the simulation trace  $\theta_{\sigma}$  after  $\tau$  simulation cycles, starting from initial state  $\sigma_0$ :  

$$\mathcal{D}_{\mathcal{H}}, E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta_{\sigma}$$

By definition of the  $\mathcal{H}$ -VHDL full simulation relation, we have:

$$\begin{aligned} \mathcal{D}_{\mathcal{H}}, \Delta, \emptyset, E_p, \tau \vdash d \xrightarrow{full} \theta_{\sigma} &\equiv \exists \sigma_e, \sigma_0 \in \Sigma(\Delta), \mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{elab} (\Delta, \sigma_e) \\ &\quad \wedge \mathcal{D}_{\mathcal{H}}, \Delta, \sigma_e \vdash d.cs \xrightarrow{init} \sigma_0 \\ &\quad \wedge \mathcal{D}_{\mathcal{H}}, E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta_{\sigma} \end{aligned} \tag{2.1}$$

Rewriting the goal with (2.1):

$$\exists \Delta, \forall E_p, \gamma \vdash E_p \stackrel{env}{=} E_c, \exists \theta_{\sigma}, \sigma_e, \sigma_0 \text{ s.t. } \mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{elab} (\Delta, \sigma_e) \wedge \mathcal{D}_{\mathcal{H}}, \Delta, \sigma_e \vdash d.cs \xrightarrow{init} \sigma_0 \wedge \\ \mathcal{D}_{\mathcal{H}}, E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta_{\sigma} \wedge \theta_s \sim \theta_{\sigma}$$

Let us use  $\Delta, \sigma_e, \sigma_0 \in \Sigma(\Delta)$  and  $\theta_{\sigma}$  to prove the goal:

$$\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{\text{elab}} (\Delta, \sigma_e) \wedge \mathcal{D}_{\mathcal{H}}, \Delta, \sigma_e \vdash d.cs \xrightarrow{\text{init}} \sigma_0 \wedge \mathcal{D}_{\mathcal{H}}, E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta_\sigma \wedge \theta_s \sim \theta_\sigma$$

We assumed the three first points of the goal, and the last point, i.e  $\theta_s \sim \theta_\sigma$ , is proved by appealing to Theorem 5.

□

Theorem 2 states that every  $\mathcal{H}$ -VHDL design returned by the HILECOP transformation function can be elaborated. The elaboration relation verifies that a given  $\mathcal{H}$ -VHDL design is well-typed and well-formed w.r.t. to the VHDL language standards, and builds an elaborated version of the  $\mathcal{H}$ -VHDL design that will act as a simulation environment. Thus, Theorem 2 states that the HILECOP transformation function produces *acceptable* code, i.e. code that could be the input to a simulator program.

**Theorem 2** (Elaboration). *For all well-defined sitpn  $\in$  SITPN,  $d \in$  design,  $\gamma \in WM(sitpn, d)$  s.t.*

- $[sitpn]_{\mathcal{H}} = (d, \gamma)$

*then there exists an elaborated design  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$  and a design state  $\sigma_e \in \Sigma(\Delta)$  s.t.*

- $\Delta$  is the elaborated version of design  $d$ , and  $\sigma_e$  is the default design state of  $\Delta$ :  $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{\text{elab}} (\Delta, \sigma_e)$

Theorem 3 states that one can always build an initial state for every  $\mathcal{H}$ -VHDL design returned by the HILECOP transformation function.

**Theorem 3** (Initialization). *For all well-defined sitpn  $\in$  SITPN,  $d \in$  design,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e \in \Sigma(\Delta)$  s.t.*

- $[sitpn]_{\mathcal{H}} = (d, \gamma)$  and  $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{\text{elab}} (\Delta, \sigma_e)$

*then there exists a design state  $\sigma_0 \in \Sigma(\Delta)$  s.t.*

- $\sigma_0$  is the initial simulation state:  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma_e \vdash d.cs \xrightarrow{\text{init}} \sigma_0$

Theorem 4 states that one can always build a simulation trace over  $\tau$  clock cycles for every  $\mathcal{H}$ -VHDL design returned by the HILECOP transformation function. This means that the simulation of an  $\mathcal{H}$ -VHDL design never fails when it is the result of the transformation of a well-defined SITPN.

**Theorem 4** (Simulation). *For all well-defined sitpn  $\in$  SITPN,  $d \in$  design,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  s.t.*

- $[sitpn]_{\mathcal{H}} = (d, \gamma)$  and  $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{\text{elab}} (\Delta, \sigma_e)$  and  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma_e \vdash d.cs \xrightarrow{\text{init}} \sigma_0$

*then for all simulation environment  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ , and simulation cycle count  $\tau \in \mathbb{N}$ , there exists a simulation trace  $\theta_\sigma \in \text{list}(\Sigma(\Delta))$  s.t.*

- *Design  $d$  yields the simulation trace  $\theta_\sigma$  after  $\tau$  simulation cycles, starting from initial state  $\sigma_0$ :*  
 $\mathcal{D}_{\mathcal{H}}, E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta_\sigma$

### 2.3.4 The bisimulation theorem

Here, we present the bisimulation theorem. The bisimulation theorem states that if an SITPN and its corresponding  $\mathcal{H}$ -VHDL design are executed/simulated over  $\tau$  execution/simulation cycles, then the produced traces are semantically similar, i.e they verify the full execution trace similarity relation of Definition 22. In this thesis, we proved this particular theorem, and as said before, we left the proofs of Theorems 2, 3 and 4 for later. We choose to focus our work on the bisimulation theorem, because it directly addresses the semantic preservation property of HILECOP's transformation function.

In the proof of Theorem 5, in the case where  $\tau > 0$ , we must show that the state similarity relation holds between the states produced by the first execution cycle, and then use Lemma 1 to complete the proof of similarity between the tail traces. First, we must show that the initial states of both SITPN and  $\mathcal{H}$ -VHDL design verify the general state similarity relation (Definition 15); this is done by appealing to Lemma 5. The first execution cycle is particular because, by definition of the SITPN full execution relation, no transitions are fired during the first rising edge. Therefore, after the first rising edge, the SITPN state is still equal to its initial state  $s_0$ . We prove that the post rising edge similarity relation is verified after the first rising edge by appealing to Lemma 15. The detailed proofs for Lemmas 5 and 15 are given in Sections A.1 and A.2.

**Theorem 5** (Full bisimulation). *For all  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\tau \in \mathbb{N}$ ,  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $\theta_s \in list(S(sitpn))$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ ,  $\theta_{\sigma} \in list(\Sigma(\Delta))$  s.t.*

- $\lfloor sitpn \rfloor_{\mathcal{H}} = (d, \gamma)$
- $\gamma \vdash E_p \xrightarrow{env} E_c$
- $E_c, \tau \vdash sitpn \xrightarrow{full} \theta_s$
- $\mathcal{D}_{\mathcal{H}}, \Delta, \emptyset, E_p, \tau \vdash d \xrightarrow{full} \theta_{\sigma}$

then  $\gamma \vdash \theta_s \sim \theta_{\sigma}$

*Proof.* Assuming the above hypotheses, let us show  $\boxed{\gamma \vdash \theta_s \sim \theta_{\sigma}}$ .

Let us perform case analysis on  $\tau$ ; there are two cases:

- **CASE  $\tau = 0$ .** By definition of the SITPN full execution and the  $\mathcal{H}$ -VHDL full simulation relations, we have:

- $E_c, 0 \vdash sitpn \xrightarrow{full} [s_0]$  and  $\theta_s = [s_0]$
- $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{elab} (\Delta, \sigma_e)$  and  $\Delta, \sigma_e \vdash d.cs \xrightarrow{init} \sigma_0$  and  $\mathcal{D}_{\mathcal{H}}, E_p, \Delta, 0, \sigma_0 \vdash d.cs \rightarrow []$  and  $\theta_{\sigma} = [\sigma_0]$

Rewriting  $\theta_s$  as  $[s_0]$ , and  $\theta_{\sigma}$  as  $[\sigma_0]$ , and by definition of the full execution trace similarity relation, what is left to prove is:  $\boxed{\gamma \vdash s_0 \sim \sigma_0}$

Appealing to Lemma 5, we can show  $\boxed{\gamma \vdash s_0 \sim \sigma_0}$ .

- **CASE  $\tau > 0$ .** By definition of the SITPN full execution relation (i.e,  $E_c, \tau \vdash sitpn \xrightarrow{full} \theta_s$ ) and the  $\mathcal{H}$ -VHDL full simulation relation (i.e,  $\mathcal{D}_{\mathcal{H}}, \Delta, \emptyset, E_p, \tau \vdash d \xrightarrow{full} \theta_{\sigma}$ ), we have:

- $E_c, \tau \vdash s_0 \xrightarrow{\tau_0} s_0$  and  $E_c, \tau \vdash s_0 \xrightarrow{\downarrow} s$  and  $E_c, \tau - 1 \vdash sitpn, s \rightarrow \theta$  and  $\theta_s = s_0 :: s_0 :: s :: \theta$
- $\mathcal{D}_H, \emptyset \vdash d \xrightarrow{elab} (\Delta, \sigma_e)$  and  $\Delta, \sigma_e \vdash d.cs \xrightarrow{init} \sigma_0$  and  $E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta'$  and  $\theta_\sigma = \sigma_0 :: \theta'$

Rewriting  $\theta_s$  and  $\theta_\sigma$ , the new goal is:  $\boxed{\gamma \vdash (s_0 :: s_0 :: s :: \theta) \sim (\sigma_0 :: \theta')}$

By definition of the  $\mathcal{H}$ -VHDL simulation relation (i.e.  $E_p, \Delta, \tau, \sigma_0 \vdash d.cs \rightarrow \theta'$ ), we have:

$E_p, \Delta, \tau, \sigma_0 \vdash d.cs \xrightarrow{\uparrow\downarrow} \sigma, \sigma'$  and  $E_p, \Delta, \tau - 1, \sigma' \vdash d.cs \rightarrow \theta''$  and  $\theta' = \sigma :: \sigma' :: \theta''$

Rewriting  $\theta'$ , the new goal is:  $\boxed{\gamma \vdash (s_0 :: s_0 :: s :: \theta) \sim (\sigma_0 :: \sigma :: \sigma' :: \theta'')}$

By definition of the full execution trace similarity relation, there are four points to prove:

1.  $\boxed{\gamma \vdash s_0 \sim \sigma_0}$ . Appealing to Lemma 5, we can show  $\boxed{\gamma \vdash s_0 \sim \sigma_0}$ .
2.  $\boxed{\gamma, E_c, \tau \vdash s_0 \xrightarrow{\uparrow} \sigma}$ . Appealing to Lemma 15, we have  $\boxed{\gamma, E_c, \tau \vdash s_0 \xapprox{\uparrow} \sigma}$ .  
By definition of  $\gamma, E_c, \tau \vdash s_0 \xapprox{\uparrow} \sigma$ , we can show  $\boxed{\gamma, E_c, \tau \vdash s_0 \xrightarrow{\uparrow} \sigma}$ .
3.  $\boxed{\gamma \vdash s \xrightarrow{\downarrow} \sigma'}$ . Appealing to Lemma 15 and 3, we have  $\boxed{\gamma \vdash s \xapprox{\downarrow} \sigma'}$ .  
By definition of  $\gamma \vdash s \xapprox{\downarrow} \sigma'$ , we can show  $\boxed{\gamma \vdash s \xrightarrow{\downarrow} \sigma'}$ .
4.  $\boxed{\gamma \vdash \theta \xrightarrow{\uparrow} \theta''}$ .  
Appealing to Lemma 15 and 3, we have  $\boxed{\gamma \vdash s \xapprox{\downarrow} \sigma'}$ .  
Then, we can appeal to Lemma 1 to show  $\boxed{\gamma \vdash \theta \xrightarrow{\uparrow} \theta''}$ .

□

Lemma 1 is similar to Theorem 5 excepts that the execution/simulation traces are not produced starting from the initial states, but starting from two states verifying the full post falling edge state similarity relation (i.e.  $\gamma \vdash s \xapprox{\downarrow} \sigma$ ). The SITPN execution relation and the  $\mathcal{H}$ -VHDL simulation relation execute one computational step at clock count  $\tau$  and then decrement the clock count and call themselves recursively to produce the rest of the execution/simulation traces. Therefore, the proof of Lemma 1 is naturally done by induction over the clock count  $\tau$ .

**Lemma 1 (Bisimulation).** *For all  $sitpn, d, \gamma, E_p, E_c, \tau, s, \theta_s, \sigma, \theta_\sigma, \Delta, \sigma_e$ , assume that:*

- $\lfloor sitpn \rfloor_{\mathcal{H}} = (d, \gamma)$  and  $\gamma \vdash E_p \stackrel{env}{=} E_c$  and  $\mathcal{D}_H, \emptyset \vdash d \xrightarrow{elab} \Delta, \sigma_e$
- Starting states are fully similar as intended after a falling edge:  $\gamma \vdash s \xapprox{\downarrow} \sigma$
- $E_c, \tau \vdash sitpn, s \rightarrow \theta_s$
- $E_p, \Delta, \tau, \sigma \vdash d.cs \rightarrow \theta_\sigma$

then  $\gamma \vdash \theta_s \xapprox{\uparrow} \theta_\sigma$ .

*Proof.* Assuming the above hypotheses, let us show  $\boxed{\gamma \vdash \theta_s \xrightarrow{\uparrow} \theta_\sigma}$ . Let us reason by induction on  $\tau$ .

- **Base case:**  $\tau = 0$ . Then,  $\sigma_s = \sigma_\sigma = []$  and by definition of the execution trace similarity relation, we can show  $\boxed{\gamma \vdash [] \xrightarrow{\uparrow} []}$ .
- **Induction case:**  $\tau > 0$ .

$$\forall s, \sigma, \theta_s, \theta_\sigma \text{ s.t. } \gamma \vdash s \xrightarrow{\downarrow} \sigma \text{ and } E_c, \tau - 1 \vdash sitpn, s \rightarrow \theta_s \text{ and } E_p, \Delta, \tau - 1, \sigma \vdash d.cs \rightarrow \theta_\sigma \text{ then } \boxed{\gamma \vdash \theta_s \xrightarrow{\uparrow} \theta_\sigma}.$$

By definition of the SITPN execution and the  $\mathcal{H}$ -VHDL simulation relations for  $\tau > 0$ , we have:

- $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$  and  $E_c, \tau \vdash s' \xrightarrow{\downarrow} s''$  and  $E_c, \tau - 1 \vdash sitpn, s'' \rightarrow \theta$ .
- $\text{Inject}_\uparrow(\sigma, E_p, \tau, \sigma_i)$  and  $\Delta, \sigma_i \vdash d.cs \xrightarrow{\uparrow} \sigma_\uparrow$  and  $\Delta, \sigma_\uparrow \vdash d.cs \xrightarrow{\rightsquigarrow} \sigma'$
- $\text{Inject}_\downarrow(\sigma', E_p, \tau, \sigma'_i)$  and  $\Delta, \sigma'_i \vdash d.cs \xrightarrow{\downarrow} \sigma_\downarrow$  and  $\Delta, \sigma_\downarrow \vdash d.cs \xrightarrow{\rightsquigarrow} \sigma''$
- $E_p, \Delta, \tau - 1, \sigma'' \vdash d.cs \rightarrow \theta'$ .

and  $\theta_s = s' :: s'' :: \theta$  and  $\theta_\sigma = \sigma' :: \sigma'' :: \theta'$ .

Then, the new goal is:  $\boxed{\gamma \vdash (s' :: s'' :: \theta) \xrightarrow{\uparrow} (\sigma' :: \sigma'' :: \theta')}$ .

By definition of the execution trace similarity relation, there are three points to prove:

1.  $\boxed{\gamma \vdash s' \xrightarrow{\uparrow} \sigma'}$ . Appealing to Lemma 3, we have  $\boxed{\gamma \vdash s' \xrightarrow{\uparrow} \sigma'}$ .

By definition of  $\gamma \vdash s' \xrightarrow{\uparrow} \sigma'$ , we can show  $\boxed{\gamma \vdash s' \xrightarrow{\uparrow} \sigma'}$ .

2.  $\boxed{\gamma \vdash s'' \xrightarrow{\downarrow} \sigma''}$ . Appealing to Lemmas 3 and 2, we have  $\boxed{\gamma, E_c, \tau \vdash s' \xrightarrow{\downarrow} \sigma'}$ .

By definition of  $\gamma, E_c, \tau \vdash s' \xrightarrow{\downarrow} \sigma'$ , we can show  $\boxed{\gamma \vdash s' \xrightarrow{\downarrow} \sigma'}$ .

3.  $\boxed{\gamma \vdash \theta \xrightarrow{\uparrow} \theta'}$ .

We can apply the induction hypothesis with  $s = s'', \sigma = \sigma'', \theta_s = \theta$  and  $\theta_\sigma = \theta'$ . Then, what is left to prove is:  $\boxed{\gamma \vdash s'' \xrightarrow{\downarrow} \sigma''}$

Appealing to Lemmas 3 and 2, we can show  $\boxed{\gamma \vdash s'' \xrightarrow{\downarrow} \sigma''}$ .

□

To prove the semantic preservation property, we want to prove that a given SITPN and its translated  $\mathcal{H}$ -VHDL version follow the bisimulation diagram of Figure 2.3.



FIGURE 2.3: Bisimulation diagram over one clock cycle for a source SITPN and a target  $\mathcal{H}$ -VHDL design; the left part of the diagram presents the execution of an SITPN over one clock cycle, and the right part of the diagram presents the simulation of an  $\mathcal{H}$ -VHDL design over one clock cycle; the upper part of the diagram corresponds to the rising edge phase of the clock cycle, and the lower part illustrates the falling edge phase of the clock cycle.

The upper part of the diagram is proved by Lemma 2. First, we assume that the starting SITPN state and the starting  $\mathcal{H}$ -VHDL design state verify the full post falling edge state similarity relation at the beginning of the clock cycle (i.e.,  $s \overset{\downarrow}{\approx} \sigma$  in Figure 2.3). Then, Lemma 2 states that after the computation of a rising edge step on the SITPN part and on the  $\mathcal{H}$ -VHDL part the resulting states verify the full post rising edge state similarity relation. The lower part of the diagram is proved by Lemma 3. First, we assume that the starting SITPN state and the starting  $\mathcal{H}$ -VHDL state verify the full post rising edge state similarity relation (i.e.,  $s' \overset{\downarrow}{\approx} \sigma'$  in Figure 2.3). Then, Lemma 2 states that after the computation of a falling edge step on the SITPN part and on the  $\mathcal{H}$ -VHDL part the resulting states verify the full post falling edge state similarity relation.

Here, we present Lemma 2 and Lemma 3, along with their proofs. In the two lemmas, we added an extra hypothesis about the starting state of the  $\mathcal{H}$ -VHDL design:  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma \vdash d.cs \xrightarrow{comb} \sigma$ . This hypothesis states that all signal values are stable at the beginning of the considered clock phase. This means that the execution of the combinational part of the  $\mathcal{H}$ -VHDL design does not change the value of signals anymore. This hypothesis is mandatory to determine the expression associated to combinational signals, i.e. the *combinational equations*, at the beginning of the clock phase (see Section 2.4 for more details about combinational equations).

To prove Lemmas 2 and 3, one must show that every point of the state similarity relation in the conclusion holds. For each point, the proof is given as a separate lemma that the reader will find in Appendix A. The proof strategy to show the equalities or equivalences laid out in the state similarity relation follows the same two-fold pattern:

- First, reason on the SITPN structure and on the transformation function to determine the content of the target  $\mathcal{H}$ -VHDL design.
- Then, reason on the SITPN state transition relation and the  $\mathcal{H}$ -VHDL “simulation” relations (i.e, the  $\text{Inject}_{clk}, \uparrow, \downarrow$  and  $\rightsquigarrow$  relations) to establish the equality between the values coming from the SITPN world (i.e, marking, time counters, reset orders, etc. and also predicates) and the values of the signals declared in the  $\mathcal{H}$ -VHDL design and in its internal component instances.

The application of this proof strategy will be detailed in Section 2.4.

**Lemma 2** (Rising edge). *For all  $sitpn \in \text{SITPN}$ ,  $d \in \text{design}$ ,  $\gamma \in \text{WM}(sitpn, d)$ ,  $E_c \in \mathbb{N} \rightarrow C \rightarrow \mathbb{B}$ ,  $\Delta \in \text{ElDesign}(d, \mathcal{D}_{\mathcal{H}})$ ,  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow \text{Ins}(\Delta) \rightarrow \text{value}$ ,  $\tau \in \mathbb{N}$ ,  $s, s' \in S(sitpn)$ ,  $\sigma_e, \sigma, \sigma_i, \sigma_{\uparrow}, \sigma' \in \Sigma(\Delta)$ , assume that:*

- $\lfloor sitpn \rfloor_{\mathcal{H}} = (d, \gamma)$  and  $\gamma \vdash E_p \stackrel{env}{=} E_c$  and  $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{elab} \Delta, \sigma_e$
- $\gamma \vdash s \overset{\downarrow}{\approx} \sigma$
- $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$
- $\text{Inject}_{\uparrow}(\sigma, E_p, \tau, \sigma_i)$  and  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma_i \vdash d.cs \xrightarrow{\uparrow} \sigma_{\uparrow}$  and  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma_{\uparrow} \vdash d.cs \rightsquigarrow \sigma'$
- State  $\sigma$  is a stable design state:  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma \vdash d.cs \xrightarrow{comb} \sigma$

then  $\gamma, E_c, \tau \vdash s' \overset{\uparrow}{\approx} \sigma'$ .

*Proof.* By definition of the **Full post rising edge state similarity** relation, there are 8 points to prove:

1.  $\forall p \in P, id_p \in \text{Comps}(\Delta) \text{ s.t. } \gamma(p) = id_p, s'.M(p) = \sigma'(id_p)(\text{"s_marking"})$ .
2.  $\forall t \in T_i, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(upper(I_s(t)) = \infty \wedge s'.I(t) \leq lower(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"})$   
 $\wedge (upper(I_s(t)) = \infty \wedge s'.I(t) > lower(I_s(t))) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = lower(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) > upper(I_s(t))) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = upper(I_s(t)))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) \leq upper(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"}))$ .
3.  $\forall t \in T_i, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t, s'.reset_t(t) = \sigma'(id_t)(\text{"s_reinit_time_counter"})$ .
4.  $\forall a \in \mathcal{A}, id_a \in \text{Outs}(\Delta) \text{ s.t. } \gamma(a) = id_a, s'.ex(a) = \sigma'(id_a)$ .
5.  $\forall f \in \mathcal{F}, id_f \in \text{Outs}(\Delta) \text{ s.t. } \gamma(f) = id_f, s'.ex(f) = \sigma'(id_f)$ .
6.  $\forall t \in T, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in \text{Sens}(s'.M) \Leftrightarrow \sigma'(id_t)(\text{"s_enabled"}) = \text{true}$ .
7.  $\forall t \in T, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t, t \notin \text{Sens}(s'.M) \Leftrightarrow \sigma'(id_t)(\text{"s_enabled"}) = \text{false}$ .

8.  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ ,

$$\sigma'(id_t)(\text{"s\_condition\_combination"}) = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

where  $\text{conds}(t) = \{c \in \mathcal{C} \mid \mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1\}$ .

Each point is proved by a separate lemma:

- Apply the **Rising edge equal marking** lemma to solve 1.
- Apply the **Rising edge equal time counters** lemma to solve 2.
- Apply the **Rising edge equal reset orders** lemma to solve 3.
- Apply the **Rising edge equal action executions** lemma to solve 4.
- Apply the **Rising edge equal function executions** lemma to solve 5.
- Apply the **Rising edge equal sensitized** lemma to solve 6.
- Apply the **Rising edge equal not sensitized** lemma to solve 7.
- Apply the **Rising edge equal condition combination** lemma to solve 8.

□

**Lemma 3** (Falling edge). *For all  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ ,  $\tau \in \mathbb{N}$ ,  $s, s' \in S(sitpn)$ ,  $\sigma_e, \sigma, \sigma_i, \sigma_{\downarrow}, \sigma' \in \Sigma(\Delta)$ , assume that:*

- $\lfloor sitpn \rfloor_{\mathcal{H}} = (d, \gamma)$  and  $\gamma \vdash E_p \stackrel{\text{env}}{=} E_c$  and  $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{\text{elab}} \Delta, \sigma_e$
- $\gamma, E_c, \tau \vdash s \overset{\uparrow}{\approx} \sigma$
- $E_c, \tau \vdash s \overset{\downarrow}{\rightarrow} s'$
- $\text{Inject}_{\downarrow}(\sigma, E_p, \tau, \sigma_i)$  and  $\Delta, \sigma_i \vdash d.cs \overset{\downarrow}{\rightarrow} \sigma_{\downarrow}$  and  $\Delta, \sigma_{\downarrow} \vdash d.cs \rightsquigarrow \sigma'$
- State  $\sigma$  is a stable design state:  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma \vdash d.cs \xrightarrow{\text{comb}} \sigma$

then  $\gamma \vdash s' \overset{\downarrow}{\approx} \sigma'$ .

*Proof.* By definition of the **Post falling edge state similarity** relation, there are 11 points to prove:

1.  $\forall p \in P, id_p \in Comps(\Delta)$  s.t.  $\gamma(p) = id_p$ ,  $s'.M(p) = \sigma'(id_p)(\text{"s_marking"})$ .
2.  $\forall t \in T_i, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ ,  
 $(upper(I_s(t)) = \infty \wedge s'.I(t) \leq lower(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"})$   
 $\wedge (upper(I_s(t)) = \infty \wedge s'.I(t) > lower(I_s(t))) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = lower(I_s(t))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) > upper(I_s(t))) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = upper(I_s(t))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) \leq upper(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"}).$
3.  $\forall c \in \mathcal{C}, id_c \in Ins(\Delta)$  s.t.  $\gamma(c) = id_c$ ,  $s'.cond(c) = \sigma'(id_c)$ .

4.  $\forall a \in \mathcal{A}, id_a \in Outs(\Delta) \text{ s.t. } \gamma(a) = id_a, s'.ex(a) = \sigma'(id_a).$
5.  $\forall f \in \mathcal{F}, id_f \in Outs(\Delta) \text{ s.t. } \gamma(f) = id_f, s'.ex(f) = \sigma'(id_f).$
6.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in Firable(s') \Leftrightarrow \sigma'(id_t)(“s\_firable”) = \text{true}.$
7.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \notin Firable(s') \Leftrightarrow \sigma'(id_t)(“s\_firable”) = \text{false}.$
8.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in Fired(s') \Leftrightarrow \sigma'(id_t)(“fired”) = \text{true}.$
9.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \notin Fired(s') \Leftrightarrow \sigma'(id_t)(“fired”) = \text{false}.$
10.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, \sum_{t \in Fired(s')} pre(p, t) = \sigma'(id_p)(“s\_output\_token\_sum”).$
11.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, \sum_{t \in Fired(s')} post(t, p) = \sigma'(id_p)(“s\_input\_token\_sum”).$

Each point is proved by a separate lemma:

- Apply the **Falling edge equal marking** lemma to solve 1.
- Apply the **Falling edge equal time counters** lemma to solve 2.
- Apply the **Falling edge equal condition values** lemma to solve 3.
- Apply the **Falling edge equal action executions** lemma to solve 4.
- Apply the **Falling edge equal function executions** lemma to solve 5.
- Apply the **Falling edge equal firable** lemma to solve 6.
- Apply the **Falling edge equal not firable** lemma to solve 7.
- Apply the **Falling edge equal fired** lemma to solve 8.
- Apply the **Falling Edge Equal Not Fired** lemma to solve 9.
- Apply the **Falling Edge Equal Output Token Sum** lemma to solve 10.
- Apply the **Falling Edge Equal Input Token Sum** lemma to solve 11.

□

## 2.4 A detailed proof: equivalence of fired transitions

The goal of this section is to present the overall proof strategy to establish the semantic preservation property. We use the proof of the Lemma 4, involved in the proof of Lemma **Falling edge**, to illustrate our demonstration techniques. The proof of Lemma 4 has been one complex part of the overall demonstration; we believe it is worth to be mentioned. Also, it has led to a bug detection. We give a full account on this bug detection, and on how we manage to correct it, at the end of the section.

### 2.4.1 An accompanied journey along the proof

The proof of Lemma 4 pertains to the set of fired transitions. In an SITPN, the firing process, based on the set of fired transitions, is responsible for the computation of the new marking, the reset orders, and the execution of functions during the rising edge phase. Therefore, to prove the semantic preservation property, we must have the equivalence between the set of fired transitions as defined on the SITPN side and the set of fired transitions as defined on the  $\mathcal{H}$ -VHDL side. The equivalence must hold at the beginning of the rising edge phase, i.e. when the set of fired transitions will be used to compute a new SITPN state. To express Lemma 4, we must first define the hypotheses stating that a falling edge phase happened in the course of the execution of an SITPN and its corresponding  $\mathcal{H}$ -VHDL design, plus some hypotheses about the similarity of the states at the beginning of the falling edge phase:

**Definition 23** (Falling edge hypotheses). *Given a  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ ,  $\tau \in \mathbb{N}$ ,  $s, s' \in S(sitpn)$ ,  $\sigma_e, \sigma, \sigma_i, \sigma_{\downarrow}, \sigma' \in \Sigma(\Delta)$ , assume that:*

- *SITPN sitpn translates into  $\mathcal{H}$ -VHDL design d and yields a binder  $\gamma$ :  $[sitpn]_{\mathcal{H}} = (d, \gamma)$*
- *Simulation/Execution environments are similar:  $\gamma \vdash E_p \stackrel{env}{=} E_c$*
- *$\Delta$  is the elaborated version of design d, and  $\sigma_e$  is the default design state of  $\Delta$ :  $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{elab} \Delta, \sigma_e$*
- *Starting states are similar according to the full post rising edge similarity relation:  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} s'$*
- *On the SITPN side, the execution of a falling edge phase starting from state s leads to state s':  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$*
- *On the  $\mathcal{H}$ -VHDL side, the simulation of a falling edge phase starting from state  $\sigma$  leads to state  $\sigma'$ :  $\text{Inject}_{\downarrow}(\sigma, E_p, \tau, \sigma_i)$  and  $\Delta, \sigma_i \vdash d.cs \xrightarrow{\downarrow} \sigma_{\downarrow}$  and  $\Delta, \sigma_{\downarrow} \vdash d.cs \xrightarrow{\rightsquigarrow} \sigma'$*
- *State  $\sigma$  is a stable design state:  $\mathcal{D}_{\mathcal{H}}, \Delta, \sigma \vdash d.cs \xrightarrow{comb} \sigma$*

The hypotheses of Definition 23 are used in all the lemmas expressing some properties about the falling edge phase. Therefore, Definition 23 enables the conciser expression of these lemmas. Then, we can express Lemma **Falling edge equal fired**:

**Lemma 4** (Falling edge equal fired). *For all  $sitpn$ ,  $d$ ,  $\gamma$ ,  $\Delta$ ,  $\sigma_e$ ,  $E_c$ ,  $E_p$ ,  $\tau$ ,  $s$ ,  $s'$ ,  $\sigma$ ,  $\sigma_i$ ,  $\sigma_{\downarrow}$ ,  $\sigma'$  that verify the hypotheses of Definition 23, then  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ ,  $t \in Fired(s') \Leftrightarrow \sigma'(id_t)(“fired”) = true$ .*

Then, let us detail the proof of Lemma 4. To prove Lemma 4, we must reason on a given transition  $t$  of the input SITPN  $sitpn$  and a TCI  $id_t$  in the output  $\mathcal{H}$ -VHDL design  $d$ . Transition  $t$  and TCI  $id_t$  are bound together through the  $\gamma$  binder returned by the transformation function. This means that the TCI  $id_t$  structurally represents the transition  $t$  in the output  $\mathcal{H}$ -VHDL design  $d$ . In this setting, we want to prove that  $t$  is in the set of fired transitions at the end of the falling edge phase if and only if the fired port of  $id_t$  equals true at the end of the falling edge phase. Formally, we want to prove:  $t \in Fired(s') \Leftrightarrow \sigma'(id_t)(“fired”) = true$ .

To prove the equivalence, we must first look at the definition of the set of fired transitions on the SITPN side and on the  $\mathcal{H}$ -VHDL side, and then think of a way to relate the two definitions.

On the SITPN side, the set of fired transitions receives an intentional and recursive definition (see Definition 9) depending on a given SITPN state. In Lemma 4, we are interested in the definition of the set of fired transitions at state  $s'$ , i.e. the state at the end of the falling edge phase (which will also be the state at the beginning of the next rising edge phase). A transition belongs to the set of fired transitions if it is *firable* (see Definition 8) and sensitized by the *residual marking* at the considered SITPN state. Figure 2.4 gives the set of fired transitions, i.e.  $\text{Fired}(s)$ , for an example SITPN at a given state  $s$ . Here, transitions  $t_a$ ,  $t_b$  and  $t_c$  are all firable at state  $s$ ; however, only transition  $t_c$  is sensitized by the residual marking.



FIGURE 2.4: The set of fired transitions for an example SITPN at a given SITPN state  $s$ ; on the right side, the dotted arrows indicates the priority relation between the three transitions ( $t_c$  is the top-priority transition); on the left side, each transition is associated to its  $\text{Pr}$  set which are necessary to compute the residual marking.

The computation of the residual marking involves the  $\text{Pr}$  sets, which are, for a given transition  $t$  and a state  $s$ , the set of transitions with a higher firing priority than  $t$  which are actually fired at  $s$ . This is where the recursive definition of the set of fired transitions begins. The definition is correct, i.e. the recursion ends, if the priority relation is a strict order over the set of transitions, and therefore, there are always transitions of top-priority (e.g.  $t_c$  in Figure 2.4). The condition of the priority relation being a strict order over the set of transitions is part of the definition of a well-defined SITPN (see Definition 4). By definition, top-priority transitions have an empty  $\text{Pr}$  set. Indeed, there exist no transition with a higher firing priority than a top-priority transition. Thus, a top-priority transition that is firable is also fired. Note that one can not determine the  $\text{Pr}$  set of a transition before having determined the firing status of all the transitions with a higher firing priority. For instance, in Figure 2.4, it is impossible to know the content of  $\text{Pr}(t_a)$  before having determined if transition  $t_b$  is fired or not. To know if  $t_b$  is fired or not, we must determine the content of  $\text{Pr}(t_b)$ . To do so, we must first determine the firing status of  $t_c$ . Even though the definition of the set of fired transitions is very declarative, this hints at a natural way to establish an algorithm to build the set of fired transitions at a given SITPN state.

On the  $\mathcal{H}$ -VHDL side, the set of fired transitions is defined through the value of the `fired` port of TCIs. The transition design declares an output port of Boolean type with the identifier `fired`. What we want to prove in Lemma 4 is that, at the end of the falling edge phase (i.e. at state  $\sigma'$ ), the value of the `fired` port of a TCI reflects the firing status of the corresponding transition. The `fired` port is a combinational signal. This means that its value depends on an equation that is verified when all signals are stable, i.e. at the end of the stabilization phases happening during the simulation. In the point of view of the circuit synthesis, this equation reflects the wiring of the port in the described hardware circuit. Figure 2.5 shows a part of the transition design architecture describing how the `fired` port is connected to the other internal signals.



FIGURE 2.5: Wiring of the `fired` output port in the transition design architecture; on the left side is the input interface of the transition design; on the right side is the output interface of the transition design, with the `fired` port; in red are the parts of the architecture that depend on synchronous logic and in black are the parts that are purely combinational.

In Figure 2.5, the labels underneath the *and* logic ports and inside the block denote the names of the processes defined in the transition design architecture as VHDL code. As a matter of fact, Figure 2.5 is a transcription of the code defining the transition design architecture. Therefore, by looking at the VHDL code, we are able to determine the combinational equation associated to the `fired` port. Given a TCI  $id_t$  in a top-level design and a state  $\sigma$  denoting a current stable state of the design (remember that combinational equation hold when the signal values are stable), the `fired` port equation at  $\sigma$  is:

$$\sigma(id_t)(\text{"fired"}) = \sigma(id_t)(\text{"s_firable"}) . \sigma(id_t)(\text{"s_priority_combination"}) \quad (2.2)$$

Equation (2.2) states that the value of the `fired` port is a simple “*and*” expression<sup>1</sup> between the value of the internal signal `s_firable` and `s_priority_combination`.

**Remark 3** (Signals and combinational equations). *In the proceeding of the proof, a lot of combinational equations are established (e.g, Equation (2.2)). These equations relate the value of a given signal to the value of other signals or expressions. All these equations are deduced by running the  $\mathcal{H}$ -VHDL semantics rules on the internal behavior (i.e., the processes) of the transition and the place designs. A combinational equation is always the result of a signal assignment statement happening inside the statement body of a process. For instance, in the transition design, the `fired_evaluation` process, presented in Listing 2.1, assigns the `fired` output port. Reasoning on the `fired_evaluation` process statement body and on the  $\mathcal{H}$ -VHDL semantics rules permits us to deduce Equation (2.2).*

<sup>1</sup>To differentiate the formulas of the intuitionistic logic from the expressions of the boolean logic, we use (“.”, “+”) to denote the *and* and *or* operators in boolean expressions, and ( $\wedge$ ,  $\vee$ ) to denote the conjunction and the disjunction in the intuitionistic formulas.

```

fired_evaluation: process (s_firable, s_priority_combination)
begin
    fired  $\Leftarrow$  s_firable and s_priority_combination;
end process fired_evaluation;

```

LISTING 2.1: The `fired_evaluation` process in the transition design architecture; its body statement assigns the `fired` output port; symbol  $\Leftarrow$  is the signal assignment operator.

*Listing 2.2 presents the `priority_authorizations_evaluation` process, responsible for the assignment of the `s_priority_combination` in the transition design.*

```

priority_authorization_evaluation: process(priority_authorizations)
    variable v_priority_combination: std_logic;
begin
    v_priority_combination := '1';

    for i in 0 to input_arcs_number - 1 loop
        v_priority_combination := v_priority_combination and priority_authorizations(i);
    end loop;

    s_priority_combination  $\Leftarrow$  v_priority_combination; -- Assignment of the result
end process priority_authorization_evaluation;

```

LISTING 2.2: The `priority_authorizations_evaluation` process in the transition design's architecture. The local variable `v_priority_combination` accumulates the product of the `priority_authorizations` input ports in the `for` loop; then the last statement assigns the value of `v_priority_combination` to the `s_priority_combination` internal signal.

*Equation (2.3) gives the combinational equation deduced from the execution of the `priority_authorizations_evaluation` process for a given TCI  $id_t$  in a top-level design  $d$ . State  $\sigma$  denotes the current state of  $d$ , and  $\sigma(id_t)$  denotes the internal state of  $id_t$  at state  $\sigma$ . The elaborated design  $\Delta$  is the elaborated version of design  $d$ , and  $\Delta(id_t)$  is the elaborated version of  $id_t$ .*

$$\sigma(id_t)(\text{"spc"}) = \prod_{i=0}^{\Delta(id_t)(\text{"input_arcs_number"})-1} \sigma(id_t)(\text{"priority_authorizations"})[i] \quad (2.3)$$

*In Equation (2.3), “spc” is an alias for the `s_priority_combination` signal. The `for` loop of the `priority_authorization_evaluation` process has been converted into a product expression where the index  $i$  follows the bounds of the loop. The `priority_authorizations` signal is an input port of type array, thus we use the bracketed notation  $a[i]$  to access the element of index  $i$  in array  $a$ . Also, we know that `input_arcs_number` identifies a generic constant of the transition design, thus, we can retrieve its value in the elaborated design  $\Delta(id_t)$ .*

*In the proofs laid out in Appendix A and in this chapter, we do not detail how the execution of processes' statement body permit to deduce combinational equations. We find that the proofs are easier to follow without entering in so much details. We let aside the task of proving that these equations hold until the time of the mechanization with the Coq proof assistant. For now, the reader can convince himself/herself that an equation holds by looking at the code of the place and the transition designs (see Appendix).*

Now that we know which combinational equation is attached to the value of the output port `fired` for a given TCI, we must relate this equation to the definition of the set of fired transitions on the SITPN side. By definition of the set of fired transitions, we know that  $t \in Fired(s')$

is equivalent to  $t \in \text{Firable}(s') \wedge t \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t,s')} \text{pre}(t_i))$  where  $\text{Pr}(t,s') = \{t' \mid t' \succ t \wedge t' \in \text{Fired}(s')\}$ . By definition of the fired port equation, we know that  $\sigma'(id_t)(\text{"fired"}) = \sigma'(id_t)(\text{"s\_firable"}) \cdot \sigma'(id_t)(\text{"s\_priority\_combination"})$ . Using these definitions to rewrite the terms of the current goal, the new goal to prove is:

$$\begin{aligned} t \in \text{Firable}(s') \wedge t \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t,s')} \text{pre}(t_i)) &\Leftrightarrow \\ \sigma'(id_t)(\text{"s\_firable"}) \cdot \sigma'(id_t)(\text{"s\_priority\_combination"}) &= \text{true} \end{aligned}$$

Thanks to Lemma 39, we know that  $t \in \text{Firable}(s')$  iff  $\sigma'(id_t)(\text{"s\_firable"}) = \text{true}$ . Then, we can get rid of these two terms in the current goal; what is left to prove is:

$$\begin{aligned} t \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t,s')} \text{pre}(t_i)) &\Leftrightarrow \\ \left( \prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] \right) &= \text{true} \end{aligned}$$

Then, the proof is in two parts:

- Assuming  $t \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t,s')} \text{pre}(t_i))$ , let us show that

$$\left( \prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] \right) = \text{true}.$$

- Assuming  $\left( \prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] \right) = \text{true}$ , let us show that

$$t \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t,s')} \text{pre}(t_i)).$$

Let us prove the first point. Assuming that  $t \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t,s')} \text{pre}(t_i))$ , let us show

$$\left( \prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] \right) = \text{true}.$$

To prove the current goal, we can equivalently show that:

$$\forall i \in [0, \Delta(id_t)(\text{"ian"}) - 1], \sigma'(id_t)(\text{"pauths"})[i] = \text{true}.$$

For a given  $i \in [0, \Delta(id_t)(\text{"ian"}) - 1]$ , let us show that  $\sigma'(id_t)(\text{"pauths"})[i] = \text{true}$ . As shown in Figure 2.5, the signal priority\_authorizations is an input port of the transition design. Therefore, to know what is the value of the element  $i$ -th element of port priority\_authorizations at state  $\sigma'(id_t)$ , we must know how the priority\_authorizations port is connected in the top-level design. Basing ourselves on the transformation function, the connection of the priority\_authorizations port for the TCI  $id_t$  depends on the set of input places of the transition  $t$ . If the set of input places of  $t$  is empty, then, all elements of the priority\_authorizations port are connected to the constant true, and proving the goal is trivial. If the set of input places of  $t$  is not empty, then, the connection of the  $i$ -th element of the priority\_authorizations port reflects the connection of some place  $p$  to the transition  $t$  by an input arc. Then, we must reason on the nature of the input

arc connecting  $p$  to  $t$ . The interested case happens when  $p$  and  $t$  are connected by a basic arc, and when the conflicts in the output transitions of  $p$  are handled by the priority relation. In that case, the  $i$ -th of the priority\_authorizations input port of the transition component instance  $id_t$  is connected to the  $j$ -th element of the priority\_authorizations output port of the PCI  $id_p$ . Figure 2.6 shows the connection of the priority\_authorizations port between the component instances  $id_p$  and  $id_t$ .



FIGURE 2.6: Connection of the  $j$ -th element of the priority\_authorizations output port of  $id_p$  to the  $i$ -th element of the priority\_authorizations input port of  $id_t$ ; also the fired output port of  $id_t$  is connected to the  $j$ -th element of the output\_transitions\_fired input port of  $id_p$ .

Thus, we know that the value of the  $i$ -th element of the priority\_authorizations input port of  $id_t$  is bound to the value of the  $j$ -th element of the priority\_authorizations output port of  $id_p$ .

Thus, to show that  $\sigma'(id_t)(\text{"pauths"})[i] = \text{true}$ , we must now show that  $\sigma'(id_p)(\text{"pauths"})[j] = \text{true}$ . We must now look at the architecture of the place design to determine the combinational equation associated to the  $j$ -th element of the priority\_authorizations output port. Figure 2.7 illustrates the wiring of the priority\_authorizations output port in a place design.



FIGURE 2.7: Wiring of the priority\_authorizations output port in the architecture of the place design; the input port interface is on the left side and the output port interface is on the right side; the synchronous parts are in red and the combinational ones are in black.

Figure 2.7 shows that the value of the elements of the priority\_authorizations output port is computed by the priority\_evaluation process. This process reads the value of the  $s_{\text{marking}}$  signal, assigned by the synchronous process  $\text{marking}$ . It also reads the value of the input ports  $\text{output\_transitions\_fired}$ ,  $\text{output\_arcs\_types}$  and  $\text{output\_arcs\_weights}$ . In Figure 2.7, the

ports of the input and output interface are composite ports (i.e., of the array type) with an upper bound index equal to  $m$ . The number  $m$  is equal to the expression `output_arcs_number - 1`, where `output_arcs_number` is a generic constant of the place design. The value of the `output_arcs_number` constant is set at the generation of the generic map of a place component instance  $id_p$ , and is equal to the number of output transitions of place  $p$ . Listing 2.3 presents the code of the `priority_evaluation` process defined in the architecture of the place design.

```

1 priority_evaluation : process (output_transitions_fired, s_marking, output_arcs_types,
2     output_arcs_weights)
3     variable v_saved_output_token_sum : local_weight_t;
4 begin
5     v_saved_output_token_sum := 0;
6     for k in 0 to output_arcs_number - 1 loop
7
8         priority_authorizations(k) <= (s_marking - v_saved_output_token_sum >=
9             output_arcs_weights(k));
10
11        if (output_transitions_fired(k) = '1') and (output_arcs_types(k) = arc_t(BASIC)) then
12            v_saved_output_token_sum := v_saved_output_token_sum + output_arcs_weights(k);
13        end if;
14
15    end loop;
16 end process priority_evaluation;
```

LISTING 2.3: The `priority_evaluation` process in the place design's architecture.

In the statement body of the `priority_evaluation` process, each element of the `priority_authorizations` output port is assigned at Line 8 inside the `for` loop. The statement of Line 8 assigns the result of the test `s_marking - v_saved_output_token_sum >= output_arcs_weights(k)` to the  $k$ -th element of `priority_authorizations`. The test checks that the value of the `s_marking` signal, representing the current marking of the PCI, minus the value of the local variable `v_saved_output_token` is greater than or equal to the value of the  $k$ -th element of the `output_arcs_weights` signal. The test corresponds to the test of sensitization by the residual marking for the TCI connected through index  $k$ .

Getting back to our proof, the following combinational equation holds the  $j$ -th element of the `priority_authorizations` port at state  $\sigma'$ :

$$\sigma'(id_p)(\text{"pauths"})[j] = (\sigma'(id_p)(\text{"s_marking"}) - \text{vsots}) \geq \sigma'(id)(\text{"output_arcs_weights"})[j] \quad (2.4)$$

Then, rewriting the goal with Equation (2.4), the new goal is:

$$(\sigma'(id_p)(\text{"s_marking"}) - \text{vsots}) \geq \sigma'(id)(\text{"output_arcs_weights"})[j] = \text{true}.$$

Here  $\geq$  denotes a Boolean operator, i.e.  $\geq \in \mathbb{N} \rightarrow \mathbb{N} \rightarrow \mathbb{B}$ . As the  $\geq \subseteq (\mathbb{N} \times \mathbb{N})$  relation is decidable for all pairs of natural numbers, we can interchange an expression  $a \geq b = \text{true}$  with  $a \geq b$  where  $a, b \in \mathbb{N}$ . We will generalize this practice to every Boolean operator having a corresponding decidable relation. Thus, the new goal is:

$$\sigma'(id_p)(\text{"s_marking"}) - \text{vsots} \geq \sigma'(id)(\text{"output_arcs_weights"})[j].$$

Here, the term `vsots` corresponds to the value of the local variable `v_saved_output_token_sum` at the moment of the assignment in the `for` loop. By looking at the code of Listing 2.3 (Lines

10 to 12), we can deduce the value of the vsots:

$$\text{vsots} = \sum_{l=0}^{j-1} \begin{cases} \sigma'(\text{id}_p)(\text{"oaw"})[l] \text{ if } \sigma'(\text{id}_p)(\text{"otf"})[l]. \\ \sigma'(\text{id}_p)(\text{"oat"})[l] = \text{basic} \\ 0 \text{ otherwise} \end{cases} \quad (2.5)$$

The vsots term is equal to the sum of the output arc weights for all TCIs, representing output transitions of  $p$ , connected through an index  $l$  comprised between 0 and  $j - 1$ . The output arc weight is taken into account in the sum only if the TCI connected through index  $l$  has a fired port equals to true (i.e. the output\_transitions\_fired input port of  $\text{id}_p$  equals true at index  $l$ ) and is linked to the place by a basic input arc (i.e. the output\_arcs\_types input port of  $\text{id}_p$  equals basic at index  $l$ ). The order of the indexes from 0 to output\_arcs\_number – 1 reflects the priority order of the output transitions of place  $p$ . Therefore, the indexes from 0 to  $j - 1$  are linked to transitions with a higher firing priority than the transition connected to the index  $j$ . Figure 2.8 reuses the SITPN of Figure 2.4 to illustrate how the indexes are ordered when the connection between the PCI  $\text{id}_p$  and its output TCIs  $\text{id}_{t_a}$ ,  $\text{id}_{t_b}$  and  $\text{id}_{t_c}$  is set (i.e., in the course of the transformation).



FIGURE 2.8: Connection between the priority\_authorizations output port of PCI  $\text{id}_p$  and the priority\_authorizations input port of TCIs  $\text{id}_{t_a}$ ,  $\text{id}_{t_b}$  and  $\text{id}_{t_c}$ , and between the output\_transitions\_fired input port of  $\text{id}_p$  and the fired ports of  $\text{id}_{t_a}$ ,  $\text{id}_{t_b}$  and  $\text{id}_{t_c}$ . pauths stands for priority\_authorizations and otf stands for output\_transitions\_fired.

In Figure 2.8, the indexes in the interface of  $\text{id}_p$  respect the priority order of the output transitions. The index increases as the priority level of the connected TCI decreases. Thus,  $\text{id}_{t_c}$  is connected to index 0 as transition  $t_c$  is the top-priority transition in the output transitions of  $p$ .

As a reminder, the current goal to prove is:

$$\sigma'(\text{id}_p)(\text{"s_marking"}) - \text{vsots} \geq \sigma'(\text{id})(\text{"output_arcs_weights"})[j].$$

The current goal is the  $\mathcal{H}$ -VHDL implementation of the test that the residual marking in place  $p$  enables transition  $t$ . We made the hypothesis that transition  $t$  is sensitized by the residual marking for all its input places, i.e.  $t \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t,s')} \text{pre}(t_i))$ . By looking at the definition of  $\text{Sens}$ , and knowing that a basic arc of weight  $\omega$  connects place  $p$  to transition  $t$ , we can deduce that  $s'.M(p) - \sum_{t_i \in \text{Pr}(t,s')} \text{pre}(p,t_i) \geq \omega$ . Now, we must relate the terms of the preceding formula to the terms of the goal. We can easily show, appealing to Lemma 32, that  $s'.M(p)$  equals  $\sigma'(id_p)(\text{"s_marking"})$ . Then, by construction, and knowing that TCI  $id_t$  is connected to PCI  $id_p$  through the index  $j$ , we can deduce that the  $j$ -th element of the `output_arcs_weights` input port denotes the weight of the arc between place  $p$  and transition  $t$ , i.e.  $\omega$ . The last thing to show is the equality between the two sum terms:

$$\sum_{t_i \in \text{Pr}(t,s')} \begin{cases} \omega \text{ if } \text{pre}(p,t_i) = (\omega, \text{basic}) \\ 0 \text{ otherwise} \end{cases} = \sum_{l=0}^{j-1} \begin{cases} \sigma'(id_p)(\text{"oaw"})[l] \text{ if } \sigma'(id_p)(\text{"otf"})[l] \\ \sigma'(id_p)(\text{"oat"})[l] = \text{basic} \\ 0 \text{ otherwise} \end{cases}$$

On the left side of the equality, we have unfolded term  $\sum_{t_i \in \text{Pr}(t,s')} \text{pre}(t_i)$  to its full definition (see Remark in Section). On the right side is the full definition of term `vsots`. We can reason by induction over the sum terms of the goal to complete the proof. At some point, we will have to show that there is a relation between an index  $l \in [0, j-1]$  and a transition  $t_i \in \text{Pr}(t,s')$ . Thanks to the ordering of the indexes based on the priority order of output transitions (see Figure 2.8), we know that there is a bijection between the output transitions of  $p$  with a higher priority than  $t$  and the indexes of interval  $[0, j-1]$ . However, to complete the proof, we must assume that for a given transition  $t_i$  with a higher priority than  $t$  and its corresponding TCI  $id_{t_i}$  the “fired” equivalence holds, i.e.:  $t_i \in \text{Fired}(s') \Leftrightarrow \sigma'(id_{t_i})(\text{"fired"}) = \text{true}$ . Unfortunately, this is exactly the property we are currently trying to prove.

Thus, to carry out the proof, we need a strong hypothesis stating that the equivalence between the set of fired transitions and the `fired` ports holds for all transitions with a higher firing priority than  $t$ . Therefore, we must think of a way to build the set of fired transitions iteratively such that the previous hypothesis becomes an invariant over the many iterations. As stated before, the actual definition of the set of fired transitions is very declarative. However, we can easily convert it into an algorithm that will build the set iteratively. The result is Algorithm 1.

---

**Algorithm 1:** `fired(s)`


---

**Data:** An SITPN state  $s$

**Result:** Returns the set of fired transitions at state  $s$

```

1  $F \leftarrow \emptyset$ 
2  $T_s \leftarrow T$ 
3 while  $T_s \neq \emptyset$  do
4    $tp \leftarrow \text{GetTopPriorityTransitions}(T_s, \succ)$ 
5    $f \leftarrow \text{ElectFired}(s, tp, F)$ 
6    $F \leftarrow F \cup f$ 
7    $T_s \leftarrow T_s \setminus tp$ 
8 return  $F$ 

```

---

Algorithm 1 builds the set of fired transitions at state  $s$  by iterating over the set of transitions  $T$ . Local variables are initialized in the two first lines. Variable  $F$  carries the set of fired transitions,

which is initially empty. Variable  $T_s$  represents the set of transitions still to be processed;  $T_s$  is equal to  $T$  at the beginning of the algorithm. At Line 3, the while loop iterates until all transitions of the  $T_s$  set have been elected for firing or have been discarded. At Line 4, function `GetTopPriorityTransitions` returns the  $tp$  set of top-priority transitions inside  $T_s$ . Then, we can proceed to the election of the fired transitions inside  $tp$ . We know that the following loop invariant holds: all fired transitions with a higher firing priority than the transitions of the  $tp$  set are inside set  $F$ . Therefore, set  $F$  contains all the transitions necessary to compute the residual marking that will be used to elect the fired transitions inside  $tp$ . This is done by the `ElectFired` function at Line 5. Then, the set  $f$  of fired transitions inside  $tp$  is merged with the overall set of fired transitions  $F$ . The statement of Line 7 withdraws the transitions of  $tp$  from set  $T_s$  before beginning another iteration. Because the priority relation  $\succ$  is a strict order over the set of transitions  $T$ , we can always find top-priority transitions in  $T_s$ . Thus,  $tp$  is never empty and  $T_s$  is always decrementing after the assignment of Line 7. Thus, the algorithm always terminates and returns the set of fired transitions at state  $s$ .

We make a relational definition of Algorithm 1 through the definition of the *IsFiredSet* relation given in Definition 24. Definition 25 states that a given transition is fired in relation to the *IsFiredSet* relation.

**Definition 24 (IsFiredSet).** Given an  $sitpn \in SITPN$ , a SITPN state  $s \in S(sitpn)$ , and a subset  $fset \subseteq T$ , the *IsFiredSet* relation is defined as follows:

$$\text{IsFiredSet}(s, fset) \equiv \text{IsFiredSetAux}(s, \emptyset, T, fset)$$

**Definition 25 (Fired).** A transition  $t \in T$  is said to be fired at the SITPN state  $s = \langle M, I, \text{reset}_t, \text{ex}, \text{cond} \rangle$ , iff there exists a subset  $fset \subseteq T$  such that  $\text{IsFiredSet}(s, fset)$  and  $t \in fset$ .

We are now satisfied with the definition of the set of fired transitions provided through the *IsFiredSet* relation. Therefore, we give a new expression to Lemma 4 by using the *IsFiredSet* relation to qualify the set of fired transitions instead of using the first declarative definition. The result is Lemma 43. The full formal proof of Lemma 43 is given in Section A.4 of Appendix A.

The definition of the *IsFiredSet* relation depends on the definition of the *IsFiredSetAux* relation given in Definition 26. The inductive definition of the *IsFiredSetAux* relation permits us to express the hypothesis that we lacked to perform the proof of Lemma 4. The hypothesis saying that for a given transition  $t$ , the “fired” equivalence holds for all transitions with a higher firing priority. This is stated in the “extra” hypothesis used in Lemma 44.

**Definition 26 (IsFiredSetAux).** The *IsFiredSetAux* relation is defined by the following rules:

$$\begin{array}{c} \text{ISFIREDSETAUXCONS} \\ \quad \text{IsTopPrioritySet}(T_s, tp) \\ \quad \text{ElectFired}(s, \text{fired}, tp, \text{fired}') \\ \hline \text{ISFIREDSETAUXNIL} \\ \quad \text{IsFiredSetAux}(s, \text{fired}, \emptyset, \text{fired}) \quad \text{IsFiredSetAux}(s, \text{fired}', T_s \setminus tp, fset) \\ \hline \quad \quad \quad \text{IsFiredSetAux}(s, \text{fired}, T_s, fset) \end{array}$$

The *IsFiredSetAux* relation depends on the definitions of the *IsTopPrioritySet* and the *ElectFired* relations given in Definition 27 and 27. The *IsTopPrioritySet* is a relational implementation of the `GetTopPriorityTransitions` function appearing at Line 4 of Algorithm 1. The *ElectFired* relation is a relational implementation of the `ElectFired` function appearing at Line 5 of Algorithm 1.

**Definition 27 (IsTopPrioritySet).** Given an  $sitpn \in SITPN$ , a subset  $T_s \subseteq T$ , and a subset  $tp \subseteq T$ , the *IsTopPrioritySet* relation is defined as follows:

$$\text{IsTopPrioritySet}(T_s, tp) \equiv \text{IsTopPrioritySetAux}(T_s, \emptyset, \emptyset, tp)$$

**Definition 28** (IsTopPrioritySetAux). *The IsTopPrioritySetAux relation is defined by the following rules:*

$$\begin{array}{c}
 \text{IsTPSETAUXTP} \\
 \text{IsTPSETAUXEMPTY} \qquad \qquad \qquad \forall t' \in T_a \cup T_b, t' \not\succ t \\
 \hline
 \text{IsTopPrioritySetAux}(\emptyset, T_b, tp, tp) \quad \frac{\text{IsTopPrioritySetAux}(T_a, \{t\} \cup T_b, \{t\} \cup tp, tp')}{\text{IsTopPrioritySetAux}(\{t\} \cup T_a, T_b, tp, tp')} \\
 \\
 \text{IsTPSETAUXNTP} \\
 \exists t' \in T_a \cup T_b \text{ s.t. } t' \succ t \\
 \text{IsTopPrioritySetAux}(T_a, \{t\} \cup T_b, tp, tp') \\
 \hline
 \text{IsTopPrioritySetAux}(\{t\} \cup T_a, T_b, tp, tp')
 \end{array}$$

**Definition 29** (ElectFired). *The ElectFired relation is defined by the following rules:*

$$\begin{array}{c}
 \text{ELECTFIREDEMPTY} \\
 \hline
 \text{ElectFired}(s, fired, \emptyset, fired) \\
 \\
 \text{ELECTFIRED}\perp \\
 \neg(t \in \text{Firable}(s) \wedge t \in \text{Sens}(s.M - \sum_{t_i \in \text{Pr}(t, fired)} \text{pre}(t_i))) \\
 \frac{\text{ElectFired}(s, fired, tp, fired')}{\text{ElectFired}(s, fired, \{t\} \cup tp, fired')} \quad \text{Pr}(t, fired) = \{t' \mid t' \succ t \wedge t' \in \text{fired}\} \\
 \\
 \text{ELECTFIRED}^\top \\
 t \in \text{Firable}(s) \quad t \in \text{Sens}(s.M - \sum_{t_i \in \text{Pr}(t, fired)} \text{pre}(t_i)) \\
 \frac{\text{ElectFired}(s, \{t\} \cup \text{fired}, tp, fired')}{\text{ElectFired}(s, \text{fired}, \{t\} \cup tp, fired')} \quad \text{Pr}(t, \text{fired}) = \{t' \mid t' \succ t \wedge t' \in \text{fired}\}
 \end{array}$$

## 2.4.2 A report on a bug detection

In the previous section, we showed the equivalence between fired transitions and fired port values at the end of the falling edge phase. In a previous definition of the SITPN state, preceding the bug detection, the set of fired transitions was a member of the SITPN state record. For a given  $s_{tpn} \in SITPN$ , we defined an SITPN state  $s$  by the record  $s = \langle Fired, M, I, cond, ex \rangle$  where  $Fired$  was the set of fired transitions. The  $Fired$  set was involved in the computation of time counter values during the falling edge phase. Thus, we needed the proof that the equivalence between the set of fired transitions and the value of the fired ports was effective at the beginning of the falling edge phase. In the previous SITPN semantics, the set of fired transitions stayed the same during the rising edge phase. Therefore, between two SITPN states  $s, s'$  verifying the rising edge state transition relation, i.e.  $s \xrightarrow{\uparrow} s'$ , we had  $s.Fired = s'.Fired$ . However, we showed that it wasn't the case on the  $\mathcal{H}$ -VHDL side, i.e. the values of the fired ports in TCIs would not stay the same during the rising edge phase. Thus, the equivalence fired transitions and fired port values at the end of the falling edge phase. The consequence was a divergence between the value of time counters and the value of the  $s\_time\_counter$  signals, both computed during the falling edge phase. Figure 2.9 shows a case of divergence between time counters and  $s\_time\_counter$  signals values in the course of an execution.



FIGURE 2.9: Bug detection: divergence between the value of time counters and the value of the `s_time_counter` signals due to the loss of the firing status information during the stabilization phase; the value of time counters and of the `s_time_counter` signals are in green; the value of diverging signals are in red.

In Figure 2.9, during the stabilization phase coming right after the rising edge of the clock, the value of the fired port of TCI  $id_{t_1}$  passes to false. After the update of the `s_marking` signal value during the rising edge phase, PCI  $id_p$  computes new priority authorizations for its output TCIs. As the marking is only sufficient to fire transition  $t_0$  but not transition  $t_1$ , PCI  $id_p$  indicates to TCI  $id_{t_1}$  that it no longer has the authorization to fire. Consequently, through the connection of `priority_authorizations` ports, the value of the fired port of  $id_{t_1}$  is set to false. Following the rules of the SITPN semantics, on the next falling edge, the value of time counters must be reset for transition  $t_0$  and  $t_1$ , because both were fired at the previous rising edge. As a part of the behavior of a TCI, the `time_counter` process, executed at the falling edge of the clock, resets the value of the `s_time_counter` signal given that the value of the fired port is true. Thus, as the value of the fired port of TCI  $id_{t_1}$  is false at the falling edge, the `time_counter` process increments the value of the `s_time_counter` signal instead of resetting its value. The consequence is a divergence between the value of the time counter of transition  $t_1$  and the value of the `s_time_counter` signal in TCI  $id_{t_1}$ .

As demonstrated above, the `time_counter` process can not rely on the value of the fired ports to determine if the value of the `s_time_counter` signal must be reset or not. We proved that there is an equivalence between the fired transitions and the value of the fired ports at the end of a falling edge phase. We need a way to memorize the value of fired ports at the moment where the equivalence hold (i.e. at the end of the falling edge phase) so that the `time_counter` process can use this information to reset the `s_time_counter` signal. To do so, we have modified the SITPN semantics and the behavior of the transition design. In the actual version of the SITPN semantics, if a transition is fired at the beginning of the rising edge phase then a reset order is sent to the transition. As a consequence, the time counter associated to this transition will be reset at the next falling edge. In the actual version of the transition design behavior, the value of the fired port is involved in the computation of the `s_reinit_time_counter` signal; the `s_reinit_time_counter` signal value follows the value of the reset order assigned to a given transition. Thus, as the equivalence between reset orders and the value of the `s_reinit_time_counter` signal holds at the beginning of the falling edge phase, the `time_counter` process can rely on the value of the `s_reinit_time_counter` signal to reset the value of the `s_time_counter` signal. As a consequence,

the set of fired transitions is no longer involved in any the SITPN semantics rules happening during the falling edge phase. Therefore, we chose to withdraw the *Fired* set from the definition of the SITPN state record. We opted for an intentional definition of the set of fired transitions at given SITPN state (i.e., Definition 9). After these changes, we were able to prove that there were no more divergence between the time counters and the value of the `s_time_counter` signals in the course of the execution (see Lemmas 26 and 35 about the equivalence of time counters).

## 2.5 Mechanized verification of the proof

The work of mechanizing the proof of the **Full bisimulation** theorem is an ongoing task. At the time of the writing, we have only verified thirty per cent of the proof concerning the **Similar initial states** lemma. However, the effort to achieve this thirty per cent of the verification amounts to three months of work. In this section, we give metrics to measure the gap between the size of the “paper” proof (see Appendix A) and the size of the computer-checked proof written in Coq. We point out some of the reasons that may explain the gap, and comment some employed techniques to reduce the size of proof scripts. As a remainder, the full code including specifications and proof scripts is available at .

Listing 2.4 presents the Coq implementation of Theorem 5 along with the sequence of tactics constituting its proof. We also declared the **Behavior preservation** theorem, and the **Elaboration, Initialization, Simulation** theorems as axioms in the `Soundness.v` file under the `soundness` folder of the Git repository.

add ref to

```

1 Theorem sitpn2vhdl_full_bisim:
2   forall τ sitpn decpr ident idarch Ec θs d Ep mm θσ γ Δ,
3
4     (* sitpn is well-defined. *)
5     IsWellDefined sitpn →
6
7     (* sitpn translates into (d, γ). *)
8     sitpn_to_vhdl sitpn decpr ident idarch mm = (inl (d, γ)) →
9
10    (* Environments are similar. *)
11    SimEnv sitpn γ Ec Ep →
12
13    (* SITPN sitpn yields execution trace θs after τ execution cycles. *)
14    SitpnFullExec sitpn Ec γ θs →
15
16    (* Design d yields simulation trace θσ after τ simulation cycles. *)
17    hfullsim Ep τ Δ d θσ →
18
19    (* ** Conclusion: traces are similar. ** *)
20    SimTrace γ θs θσ.
21 Proof.
22   (* Case analysis on τ *)
23   destruct τ;
24   intros *;
25   inversion_clear 4;
26   inversion_clear 1;
27
28   (* - CASE τ = 0, GOAL γ ⊢ s0 ~ σ0. Solved with sim_init_states lemma.
29   - CASE τ > 0, GOAL γ ⊢ (s0 :: s0 :: s :: θ) ~ (σ0 :: σ :: σ' :: θ'').
```

```

30   Solved with [first_cycle] and [simulation] lemmas. *)
31   lazymatch goal with
32   | [ Hsimloop: simloop _ _ _ _ _ | _ ] =>
33     inversion_clear Hsimloop; constructor; eauto with hilecop
34   end.
35 Qed.

```

LISTING 2.4: Coq implementation of the **Full bisimulation** theorem and the mechanized version of its proof.

The proof laid out in Listing 2.4 follows the structure of the informal proof of Theorem 5. First, we perform case analysis on the structure of the  $\tau$  variable through the `destruct` tactic. Then, the `intros *` introduces all universally-bound variables in the proof context. Then, at Lines 25 and 26, we use a variant of the `inversion` tactic (i.e. `inversion_clear`) to unfold the definition of the SITPN full execution relation and the  $\mathcal{H}$ -VHDL full simulation relations. The number passed as an argument to the `inversion_clear` tactic refers to the index of the premise in the arrow-separated list of premises constituting the declaration of the theorem. At Line 31, we perform pattern matching on the proof context and on the conclusion to be proved. This permits to identify the hypothesis associated to the  $\mathcal{H}$ -VHDL simulation relation; we name it `Hsimloop`. This hypothesis has been introduced in the context of the proof as a side effect of the `inversion` tactic used at Line 26. Then, we introduce in the proof context new hypotheses based on the definition of the `Hsimloop` hypothesis (i.e. the definition of the  $\mathcal{H}$ -VHDL simulation relation) by invoking `inversion_clear` tactic on `Hsimloop`. Then, the `constructor` tactic builds sub-goals to be proved based on the definition of the full trace similarity relation (i.e.  $\sim$ ). We let the `eauto` tactic decide which lemma apply to solve the sub-goals generated by the `constructor` tactics. We give a hint to the `eauto` tactic so that it looks in the user-defined `hilecop` database of theorems and lemmas to solve the sub-goals. The `hilecop` database contains the Coq implementation of all the theorems and lemmas used to prove the **Full bisimulation** theorem.

### Robustness to change

The proof laid out in Listing 2.4 is representative of our strategy to keep our mechanized proofs robust to change. The robustness criterion is important for multiple reasons. First, in the proceeding of the proof, we can always realize that some case is missing in the expression of the transformation function or discover that the semantics of the SITPNs or the  $\mathcal{H}$ -VHDL language is incomplete or incorrect. Therefore, we want to structure our proofs in a way that will lower the impact of correcting the transformation function or completing the semantics. Second, we know that the SITPN structure and the  $\mathcal{H}$ -VHDL code of the place and transition designs will be evolving in the future. Therefore, we want to be able to adapt our proofs with a minimum effort. To reach robustness to change, we follow the indications laid out in [7]. Mainly, we make an important use of the pattern matching constructs, such as `lazymatch` or `match`, to seek hypotheses in the current proof context. Also, we build hint databases and rely as much as possible on the use of the `auto` and `eauto` to solve the conclusions.

### Automation

To shorten the size of proofs, we develop user-defined tactics using the Coq Ltac language. The tactic that most contributed to the reduction of the size of the proof scripts is the `minv` tactic (see `StateAndErrorMonadTactics.v` under the `common` folder). The `minv` tactic automate the proof of

certain lemmas regarding the properties of the HILECOP transformation function in the context of the state-and-error monad. Our Coq implementation of the HILECOP transformation function implements the state-and-error monad. This monad simulates imperative language traits into functional languages. All functions involve in the HILECOP transformation function carry a compile-time state, defined as the Coq type `CompileTimeState`. Each function either return a value, modify the compile-time state or do both. To give an example of the use of the `minv` tactic, Listing 2.5 shows the implementation of the `generate_place_comp_inst` function involved in HILECOP transformation function. The `generate_place_comp_inst` function generates a  $\mathcal{H}$ -VHDL PCI statement from a place  $p$  passed as a parameter. As a side effect, the `generate_place_comp_inst` function adds the PCI statement to the behavior of the top-level design currently built in the compile-time state.

```

1 Definition generate_place_comp_inst (p : P sitpn) : CompileTimeState unit :=
2
3   do id      ← get_nextid;
4   do _       ← bind_place p id;
5   do pcomp   ← get_pcomp p;
6   do pcomp_inst ← HComponent_to_comp_inst id place_entid pcomp;
7   add_cs pcomp_inst.

```

LISTING 2.5: Coq implementation of the `generate_place_comp_inst` function; the function takes an SITPN place  $p$  as a parameter, and modifies the compile-time state without returning a value (i.e. the function return type is `unit`)

In its definition body, function `generate_place_comp_inst` sequentially calls to functions that sometimes modify the compile-time state (e.g. the `bind_place` function adds a binding between  $p$  and  $id$  in the generated  $\gamma$  binder, i.e.  $\gamma(p) = id$  after the call to `bind_place`), or sometimes simply return a value without modifying the state (e.g. `get_pcomp` returns an intermediate structure representing the place component instance associated to place  $p$  in the compile-time state). During the mechanization of the proof, we often need to prove that some properties hold between the input compile-time state and the output compile-time after the call to a certain function. For example, after calling the `generate_place_comp_inst` function on a given place  $p$  and for a given input state  $s$ , let us say that a new compile-time state  $s'$  is returned. We want to show that the part of the  $\gamma$  binder pertaining to the binding of transitions to TCI identifiers has not changed between state  $s$  and state  $s'^2$ . To perform the proof, we need to show that each function call composing the sequence of the `generate_place_comp_inst` function returns a compile-time state verifying the wanted property. Proving simple property like verifying that part of the compile-time states are equal through the multiple invocation of functions is highly automatable. We adapt the tactic `monadInv` defined in the CompCert project [12] to automate proof for such properties. The result is the tactic `minv` massively used in the proofs pertaining to state invariants<sup>3</sup>.

### Gap between informal and formal proof

There is a huge gap of size between the informal proof of the **Full bisimulation** theorem given in this Chapter and in Appendix A and the machine-checked formal proof. Right now, the Coq proof wins the size competition. The most significant distance between the size of the informal and the formal proof comes from the two following points: the statement of the combinational equations

<sup>2</sup>Remember that the  $\gamma$  binder is part of the compile-time state record type.

<sup>3</sup>State invariance lemmas are to be found in the `GenerateInfosInvs.v`, `GenerateArchitectureIns.v`, `GeneratePortsInvs.v` and `GenerateHVhdlInvs.v` under the `sitpn2hvhd1` folder of the Git repository.

defining the value of  $\mathcal{H}$ -VHDL signals and the statement of properties about the HILECOP transformation function. Stating that a combinational equation holds for a given signal in the context of an informal proof is a one-line sentence. The same goes when invoking the properties of the PCIs and TCIs populating the top-level design behavior based on the definition of the transformation function. However, proving these statements represents a tremendous mechanization effort within the Coq proof assistant. To give an example, we begin the proof of Lemma 6 by taking a place  $p$  and a PCI identifier  $id_p$  linked through the  $\gamma$  binder returned by the transformation function. Then, we state the existence of a PCI statement, identified by  $id_p$  and with an associated generic map, input port map and output port map, in the behavior of the top-level design returned by the transformation function. To do so, we use the following the sentence:

“Let us take a  $p \in P$  and an  $id_p \in Comps(\Delta)$  such that  $\gamma(p) = id_p$ . By construction, there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ .”

The expression “by construction” is a shorthand for “knowing how the target  $\mathcal{H}$ -VHDL design is constructed by the transformation function”, or “based on the definition of the transformation function”. In Coq, proving the lemma that states the existence of a PCI for a given place  $p$  amounts to 1500 lines of proof script. The lemmas regarding properties of PCI and TCI statements deduced from the transformation function tend to have complicated proofs. We believe that the implementation of the HILECOP transformation function could be more straightforward in order to simplify this kind of proof. By straightforward, we mean that the number of steps separating a given place or a given transition from the generation of their corresponding PCI or TCI could be diminished, maybe at the cost of time performance. Right now, ease of proof is more important than time performance, considering that our goal is to prove the semantic preservation theorem in a reasonable amount of time. Still, the major complexity of the transformation function, i.e. what makes the proofs so hard, lies in the generation of the interconnections between PCIs and TCIs. Some engineering effort could be spent to simplify this particular of the transformation.

Also, we spent a lot of time proving some uninteresting, however necessary, properties about the  $\mathcal{H}$ -VHDL design states and the  $\mathcal{H}$ -VHDL simulation relations. For instance, we proved a lot of lemmas pertaining the preservation of identifiers through the simulation phases (e.g if a signal  $id$  is present in a design state at the beginning of a stabilization phase, then it is still present at the end of the phase). We also proved a lot of uninteresting properties about the  $\mathcal{H}$ -VHDL elaborated designs and the  $\mathcal{H}$ -VHDL elaboration relation. For instance, properties on the uniqueness of identifiers in design states, in elaborated designs... We believe that a more systematic use of dependent types, especially to implement the  $\mathcal{H}$ -VHDL design state and the elaborated design structure, could prevent us from proving this kind of lemmas.

## 2.6 Conclusion

In this chapter, the aim was to present the behavior preservation theorem stating that the HILECOP transformation is semantic preserving along with its informal proof. By presenting the work of the literature pertaining to the verification of *transformation functions* through the proof of behavior preservation theorems, we wanted to convince the reader that the expression of our semantic preservation theorem is “correct”, i.e. it follows a common expression pattern. We saw that the expression of semantic preservation theorems is quite similar in its form even when considered transformations are not of the same nature (i.e. GPL compilers, HDL compilers and model transformations). Our semantic preservation theorem takes the form of a state similarity checking

between the states composing the execution traces of our source model and our target program. At each point of the execution (i.e. at each clock signal event), the state of the input model and the state of the output representation must be similar to ensure the behavior preservation property. This definition of the behavior preservation property is particular to reactive systems, i.e. we are dealing with systems that are executing over time, and that are synchronized with a clock signal. Naturally, the behavior preservation theorem must ensure that the behaviors are similar, independently of the number of execution cycles performed. Hopefully, leveraging the inductive reasoning, proving such a thing comes down to proving that behaviors are preserved through a clock cycle.

The study of the literature showed that the state comparison relation, i.e. the relation that describe how things are compared between the source and the target representation, is a significant element in the expression of the behavior preservation theorem. Especially, in our case, the state structure of the source and target representations are quite different. Indeed, we are dealing with an abstract set of data in the SITPN world, while in the  $\mathcal{H}$ -VHDL representation all is converted into signal values and internal states of component instances. Thus, relating these two kind of states is not straightforward, and we thoroughly presented our state similarity relation in Section 2.2.

In this chapter, we wanted to stress another point pertaining no more to the “how” but to the “when” the states of the input and output representations must be compared in the course of the execution. Here, we are dealing with to kind of models that are synchronously executed. However, the synchronous execution of an SITPN stays at a level that is quite abstract compared to the concrete execution of a synchronous hardware system. Indeed, the execution of a synchronous hardware system is related to the rules of the combinational and the synchronous logic, while it is not the case at the SITPN level. Thus, a  $\mathcal{H}$ -VHDL design goes through a lot more different states in the proceeding of a clock cycle compared to its corresponding SITPN. Figure 2.3 illustrates when the state comparison must be performed in the course of a clock cycle.

While presenting the proof of Theorem 1, we used certain theorems declared as axioms (Theorems 2, 3 and 4). These theorems express the fact that we can always derive a simulation trace from the execution of a  $\mathcal{H}$ -VHDL design resulting of a succesful HILECOP transformation. It means that the execution of a  $\mathcal{H}$ -VHDL design resulting from the HILECOP transformation never results into an error at some point of the simulation. We chose not to represent errors in the  $\mathcal{H}$ -VHDL semantics due to the fact that the concept of error is nonexistent in the SITPN semantics. However, we argue that proving a theorem stating the existence of a simulation trace, independently of the number of simulation cycles considered, is a way to rectify the lack of error representation in our semantics. By presenting Theorems 2, 3 and 4 as axioms, we chose to prove the theorem of semantic preservation in the case where a simulation trace has been produced for the generated  $\mathcal{H}$ -VHDL design. This is the setting of Theorem 5 for which the full proof is detailed in this chapter and in Appendix A. However, we are not giving up on the proof of Theorems 2, 3 and 4. Indeed, proving a theorem stating the similarity of execution traces is useless if the execution a generated  $\mathcal{H}$ -VHDL design always fails at some point while the execution of the corresponding SITPN goes on. However, we are confident in the fact that if the execution of a generated  $\mathcal{H}$ -VHDL design fails, then it can only reflect a divergence in relation to the behavior of the input SITPN. Thus, proving that the execution traces are similar contributes to the proof that we can always derive an execution trace for a generated  $\mathcal{H}$ -VHDL design.

The informal “paper” proof of Theorem 5 given in this chapter and Appendix A is long; about a hundred pages. However, as we explained in Section 2.4, the strategy used in the overall proof is pretty much the same. To prove that the behavior of an SITPN and its corresponding  $\mathcal{H}$ -VHDL

design is preserved through an execution cycle, we must reason on the execution relations ruling both worlds. But first, to relate the execution of our input and output representations, we must structurally relate the SITPN to the translated  $\mathcal{H}$ -VHDL design. In the proceeding of the proof, we will first reason on the structure of the input SITPN; based on the structure of the SITPN and by property of the HILECOP transformation, we can determine the structure of the top-level  $\mathcal{H}$ -VHDL design. Once we know the structure of the SITPN and the  $\mathcal{H}$ -VHDL design, we can unfold their execution rules to prove that their behavior are the same; i.e. at the end of a computational step, states are similar.

The mechanization of the proof of Theorem 5 is at its very beginning in terms of completion. However, we have already spent three months on it. Thus, the mechanization is a very slow process. We explain the hardness of the mechanization task by pointing out the two points where the distance between informal and formal proof is most important. The first point corresponds to the statement of the construction of the  $\mathcal{H}$ -VHDL design based on the structure of the SITPN and the HILECOP transformation function. Reasoning on the transformation function is not an easy task as the transformation itself is not as straightforward as the transformation from a source program of a GPL to a target program of another GPL. In Section 2.5, we pointed out the distance between a property of the transformation function expressed in one sentence in the informal proof and the thousands of lines that it represents in the formal proof. The second point digging the distance between the informal and the formal proof comes from the establishment of the synchronous and combinational equations that are verified by the internal signals of the PCIs and TCIS. This also results in one sentence statement in the informal proof while representing thousands of lines of code in the formal proof. The De Bruijn factor [17], that permits to measure the distance in terms of number of characters between an informal proof and its machine-checked version (i.e. the formal program), is tremendously high in our case when considering these intermediary results.

## Appendix A

# Semantic preservation proof

| Constants and signals reference |        |                      |                                         |
|---------------------------------|--------|----------------------|-----------------------------------------|
| Full name                       | Alias  | Category             | Type                                    |
| "input_conditions"              | "ic"   | input port (T)       | IB                                      |
| "reinit_time"                   | "rt"   | input port (T)       | IB                                      |
| "input_arcs_valid"              | "iav"  | input port (T)       | IB                                      |
| "fired"                         | "f"    | output port (T)      | IB                                      |
| "s_condition_combination"       | "scc"  | internal signal (T)  | IB                                      |
| "s_reinit_time_counter"         | "srtc" | internal signal (T)  | IB                                      |
| "s_priority_combination"        | "spc"  | internal signal (T)  | IB                                      |
| "s_fired"                       | "sf"   | internal signal (T)  | IB                                      |
| "s_firable"                     | "sfa"  | internal signal (T)  | IB                                      |
| "s_enabled"                     | "se"   | internal signal (T)  | IB                                      |
| "input_arcs_number"             | "ian"  | generic constant (T) | IN                                      |
| "transition_type"               | "tt"   | generic constant (T) | {not_temp,temp_a_b,temp_a_a,temp_a_inf} |
| "conditions_number"             | "cn"   | generic constant (T) | IN                                      |
| "maximal_time_counter"          | "mtc"  | generic constant (T) | IN                                      |
| "s_marking"                     | "sm"   | internal signal (P)  | IN                                      |
| "s_output_token_sum"            | "sots" | internal signal (P)  | IN                                      |
| "s_input_token_sum"             | "sits" | internal signal (P)  | IN                                      |
| "reinit_transition_time"        | "rtt"  | output port (P)      | IB                                      |
| "output_arcs_types"             | "oat"  | input port (P)       | {basic,test,inhib}                      |
| "output_arcs_weights"           | "oaw"  | input port (P)       | IN                                      |
| "output_transition_fired"       | "otf"  | input port (P)       | IB                                      |
| "input_arcs_weights"            | "iaw"  | input port (P)       | IN                                      |
| "input_transition_fired"        | "itf"  | input port (P)       | IB                                      |

TABLE A.1: Constants and signals reference for the  $\mathcal{H}$ -VHDL transition and place designs

### A.1 Initial States

**Definition 30** (Initial state hypotheses). Given an  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$ , assume that:

- $SITPN sitpn$  translates into design  $d$ :  $[sitpn]_{\mathcal{H}} = (d, \gamma)$

- $\Delta$  is the elaborated version of  $d$ ,  $\sigma_e$  is the default state of  $\Delta$ , i.e, state of  $\Delta$  where all signals have their default value:

$$\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{\text{elab}} (\Delta, \sigma_e)$$

- $\sigma_0$  is the initial state of  $\Delta$ :  $\Delta, \sigma_e \vdash d.cs \xrightarrow{\text{init}} \sigma_0$

**Lemma 5** (Similar initial states). For all  $sitpn \in SITPN$ ,  $d \in \text{design}$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Definition 30, then  $\gamma \vdash s_0 \sim \sigma_0$ .

*Proof.* By definition of the **General state similarity** relation, there are 6 points to prove.

1.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, s_0.M(p) = \sigma_0(id_p)(\text{"s_marking"})$ .
2.  $\forall t \in T_i, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(upper(I_s(t)) = \infty \wedge s_0.I(t) \leq lower(I_s(t))) \Rightarrow s_0.I(t) = \sigma_0(id_t)(\text{"s_time_counter"})$   
 $\wedge (upper(I_s(t)) = \infty \wedge s_0.I(t) > lower(I_s(t))) \Rightarrow \sigma_0(id_t)(\text{"s_time_counter"}) = lower(I_s(t))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s_0.I(t) > upper(I_s(t))) \Rightarrow \sigma_0(id_t)(\text{"s_time_counter"}) = upper(I_s(t))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s_0.I(t) \leq upper(I_s(t))) \Rightarrow s_0.I(t) = \sigma_0(id_t)(\text{"s_time_counter"}).$
3.  $\forall t \in T_i, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, s_0.reset_t(t) = \sigma_0(id_t)(\text{"s_reinit_time_counter"})$ .
4.  $\forall c \in C, id_c \in Ins(\Delta) \text{ s.t. } \gamma(c) = id_c, s_0.cond(c) = \sigma_0(id_c)$ .
5.  $\forall a \in \mathcal{A}, id_a \in Outs(\Delta) \text{ s.t. } \gamma(a) = id_a, s_0.ex(a) = \sigma_0(id_a)$ .
6.  $\forall f \in \mathcal{F}, id_f \in Outs(\Delta) \text{ s.t. } \gamma(f) = id_f, s_0.ex(f) = \sigma_0(id_f)$ .

- Apply the **Initial states equal marking** lemma to solve 1.
- Apply the **Initial states equal time counters** lemma to solve 2.
- Apply the **Initial states equal reset orders** lemma to solve 3.
- Apply the **Initial states equal condition values** lemma to solve 4.
- Apply the **Initial states equal action executions** lemma to solve 5.
- Apply the **Initial states equal function executions** lemma to solve 6.

□

### A.1.1 Initial states and marking

**Lemma 6** (Initial states equal marking). For all  $sitpn \in SITPN$ ,  $d \in \text{design}$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Definition 30, then  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, s_0.M(p) = \sigma_0(id_p)(\text{"s_marking"})$ .

*Proof.* Given a  $p \in P$  and an  $id_p \in Comps(\Delta)$  s.t.  $\gamma(p) = id_p$ , let us show that

$$s_0.M(p) = \sigma_0(id_p)(\text{"s_marking"}).$$

By construction and by definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ .

By property of the  $\mathcal{H}$ -VHDL initialization relation,  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the marking process defined in the place design architecture, we can deduce  $\sigma_0(id_p)(s_marking) = \sigma_0(id_p)(initial\_marking)$ .

Rewriting  $\sigma_0(id_p)(sm)$  as  $\sigma_0(id_p)(initial\_marking)$ ,  $\sigma_0(id_p)(initial\_marking) = s_0.M(p)$ .

By construction,  $\langle initial\_marking \Rightarrow M_0(p) \rangle \in ipm_p$ .

By property of the  $\mathcal{H}$ -VHDL initialization relation, and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , then  $\sigma_0(id_p)(initial\_marking) = M_0(p)$ . Rewriting  $\sigma_0(id_p)(initial\_marking)$  as  $M_0(p)$  in the current goal:  $M_0(p) = s_0.M(p)$ .

By definition of  $s_0$ , we can rewrite  $s_0.M(p)$  as  $M_0(p)$  in the current goal, tautology.

□

**Lemma 7** (Null input token sum at initial state). *For all  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_H)$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Definition 30, then  $\forall p \in P, id_p \in Comps(\Delta)$  s.t.  $\gamma(p) = id_p$ ,  $\sigma_0(id_p)(s\_input\_token\_sum) = 0$ .*

*Proof.* Given a  $p$  and an  $id_p$  s.t.  $\gamma(p) = id_p$ , let us show that  $\sigma_0(id_p)(s\_input\_token\_sum) = 0$ .

By construction and by definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ .

By property of the initialization relation,  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the `input_tokens_sum` process defined in the place design architecture, we can deduce:

$$\sigma_0(id_p)(sits) = \sum_{i=0}^{\Delta(id_p)(ian)-1} \begin{cases} \sigma_0(id_p)(iaw)[i] & \text{if } \sigma_0(id_p)(itf)[i] \\ 0 & \text{otherwise} \end{cases} \quad (\text{A.1})$$

Rewriting the goal with Equation (A.1):

$$\sum_{i=0}^{\Delta(id_p)(ian)-1} \begin{cases} \sigma_0(id_p)(iaw)[i] & \text{if } \sigma_0(id_p)(itf)[i] \\ 0 & \text{otherwise} \end{cases} = 0.$$

Let us perform case analysis on  $input(p)$ ; there are two cases:

1.  $input(p) = \emptyset$ :

By construction,  $\langle input\_arcs\_number \Rightarrow 1 \rangle \in gm_p$ ,  $\langle input\_transitions\_fired(0) \Rightarrow true \rangle \in ipm_p$ , and  $\langle input\_arcs\_weights(0) \Rightarrow 0 \rangle \in ipm_p$ .

By property of the elaboration relation,  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , and  $\langle input\_arcs\_number \Rightarrow 1 \rangle \in gm_p$ , we can deduce  $\Delta(id_p)(ian) = 1$ .

By property of the initialization relation,  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ ,  $\langle input\_transitions\_fired(0) \Rightarrow true \rangle \in ipm_p$  and  $\langle input\_arcs\_weights(0) \Rightarrow 0 \rangle \in ipm_p$ , we can deduce  $\sigma_0(id_p)(itf)[0] = true$  and  $\sigma_0(id_p)(iaw)[0] = 0$ .

Rewriting the goal with  $\Delta(id_p)(ian) = 1$ ,  $\sigma_0(id_p)(itf)[0] = true$ ,  $\sigma_0(id_p)(iaw)[0] = 0$  and simplifying the goal, tautology.

2.  $input(p) \neq \emptyset$ :

By construction,  $\langle input\_arcs\_number \Rightarrow |input(p)| \rangle \in gm_p$ , and by property of the elaboration relation, and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\Delta(id_p)(ian) = |input(p)|$ .

Let us reason by induction on the sum term of the goal.

- **BASE CASE:** The sum term equals 0, then tautology.

- **INDUCTION CASE:**

$$\sum_{i=1}^{\Delta(id_p)(\text{"ian"})-1} \begin{cases} \sigma_0(id_p)(\text{"iaw"})[i] \text{ if } \sigma_0(id_p)(\text{"itf"})[i] \\ 0 \text{ otherwise} \end{cases} = 0$$

$$\begin{cases} \sigma_0(id_p)(\text{"iaw"})[0] \text{ if } \sigma_0(id_p)(\text{"itf"})[0] \\ 0 \text{ otherwise} \end{cases} + \sum_{i=1}^{\Delta(id_p)(\text{"ian"})-1} \begin{cases} \sigma_0(id_p)(\text{"iaw"})[i] \text{ if } \sigma_0(id_p)(\text{"itf"})[i] \\ 0 \text{ otherwise} \end{cases} = 0$$

Using the induction hypothesis to rewrite the goal:

$$\begin{cases} \sigma_0(id_p)(\text{"iaw"})[0] \text{ if } \sigma_0(id_p)(\text{"itf"})[0] \\ 0 \text{ otherwise} \end{cases} = 0$$

Since  $\text{input}(p) \neq \emptyset$ , by construction, there exist an  $id_t \in \text{Comps}(\Delta), gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs, id_{ft} \in \text{Sigs}(\Delta)$  s.t.  $\langle \text{fire} \Rightarrow id_{ft} \rangle \in opm_t$  and  $\langle \text{input\_transitions\_fire} \rangle \Rightarrow id_{ft} \in ipm_p$ .

By property of the initialization relation,  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs, \text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs, \langle \text{fire} \Rightarrow id_{ft} \rangle \in opm_t$  and  $\langle \text{input\_transitions\_fire} \rangle \Rightarrow id_{ft} \in ipm_p$ , we can deduce  $\sigma_0(id_p)(\text{"itf"})[0] = \sigma_0(id_t)(\text{"fire"})$ .

Rewriting the goal with  $\sigma_0(id_p)(\text{"itf"})[0] = \sigma_0(id_t)(\text{"fire"})$ :

$$\begin{cases} \sigma_0(id_p)(\text{"iaw"})[0] \text{ if } \sigma_0(id_t)(\text{"fire"}) \\ 0 \text{ otherwise} \end{cases} = 0$$

Appealing to Lemma 14, we can deduce  $\sigma_0(id_t)(\text{"fire"}) = \text{false}$ .

Rewriting the goal with  $\sigma_0(id_t)(\text{"fire"}) = \text{false}$ , and simplifying the goal, tautology. □

**Lemma 8** (Null output token sum at initial state). *For all  $sitpn \in SITPN, d \in \text{design}, \gamma \in WM(sitpn, d), \Delta \in ElDesign(d, \mathcal{D}_H), \sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Definition 30, then  $\forall p \in P, id_p \in \text{Comps}(\Delta)$  s.t.  $\gamma(p) = id_p, \sigma_0(id_p)(\text{"s_output_token_sum"}) = 0$ .*

*Proof.* The proof is similar to the proof of Lemma 7. □

### A.1.2 Initial states and time counters

**Lemma 9** (Initial states equal time counters). *For all  $sitpn \in SITPN, d \in \text{design}, \gamma \in WM(sitpn, d), \Delta \in ElDesign(d, \mathcal{D}_H), \sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Definition 30, then  $\forall t \in T_i, id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t,$   $\text{upper}(I_s(t)) = \infty \wedge s_0.I(t) \leq \text{lower}(I_s(t)) \Rightarrow s_0.I(t) = \sigma_0(id_t)(\text{"s_time_counter"}) \wedge$   $\text{upper}(I_s(t)) = \infty \wedge s_0.I(t) > \text{lower}(I_s(t)) \Rightarrow \sigma_0(id_t)(\text{"s_time_counter"}) = \text{lower}(I_s(t)) \wedge$   $\text{upper}(I_s(t)) \neq \infty \wedge s_0.I(t) > \text{upper}(I_s(t)) \Rightarrow \sigma_0(id_t)(\text{"s_time_counter"}) = \text{upper}(I_s(t)) \wedge$   $\text{upper}(I_s(t)) \neq \infty \wedge s_0.I(t) \leq \text{upper}(I_s(t)) \Rightarrow s_0.I(t) = \sigma_0(id_t)(\text{"s_time_counter"}).$*

*Proof.* Given a  $t \in T_i$  and an  $id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show that:

$$1. \quad \boxed{\text{upper}(I_s(t)) = \infty \wedge s_0.I(t) \leq \text{lower}(I_s(t)) \Rightarrow s_0.I(t) = \sigma_0(id_t)(\text{"s_time_counter"})}$$

2.  $\boxed{upper(I_s(t)) = \infty \wedge s_0.I(t) > lower(I_s(t)) \Rightarrow \sigma_0(id_t)(\text{"s\_time\_counter"}) = lower(I_s(t))}$
3.  $\boxed{upper(I_s(t)) \neq \infty \wedge s_0.I(t) > upper(I_s(t)) \Rightarrow \sigma_0(id_t)(\text{"s\_time\_counter"}) = upper(I_s(t))}$
4.  $\boxed{upper(I_s(t)) \neq \infty \wedge s_0.I(t) \leq upper(I_s(t)) \Rightarrow s_0.I(t) = \sigma_0(id_t)(\text{"s\_time\_counter"})}$

By construction and by definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ .

Then, let us show the 4 previous points.

1. Assuming that  $upper(I_s(t)) = \infty \wedge s_0.I(t) \leq lower(I_s(t))$ , then let us show  

$$\boxed{s_0.I(t) = \sigma_0(id_t)(\text{"s\_time\_counter"})}.$$

Rewriting  $s_0.I(t)$  as 0, by definition of  $s_0$ ,  $\boxed{\sigma_0(id_t)(\text{"s\_time\_counter"}) = 0}$ .

By property of the  $\mathcal{H}$ -VHDL initialization relation,  $\text{comp}(id_t, \text{"transition"}, gmt, ipm_t, opm_t) \in d.cs$ , and through the examination of the `time_counter` process defined in the transition design architecture, we can deduce  $\boxed{\sigma_0(id_t)(\text{"s\_time\_counter"}) = 0}$ .

2. Assuming that  $upper(I_s(t)) = \infty$  and  $s_0.I(t) > lower(I_s(t))$ , let us show  

$$\boxed{\sigma_0(id_t)(\text{"s\_time\_counter"}) = lower(I_s(t))}.$$

By definition,  $lower(I_s(t)) \in \mathbb{N}^*$  and  $s_0.I(t) = 0$ . Then,  $\boxed{lower(I_s(t)) < 0}$  is a contradiction.

3. Assuming that  $upper(I_s(t)) \neq \infty$  and  $s_0.I(t) > upper(I_s(t))$ , let us show  

$$\boxed{\sigma_0(id_t)(\text{"s\_time\_counter"}) = upper(I_s(t))}.$$

By definition,  $upper(I_s(t)) \in \mathbb{N}^*$  and  $s_0.I(t) = 0$ . Then,  $\boxed{upper(I_s(t)) < 0}$  is a contradiction.

4. Assuming that  $upper(I_s(t)) \neq \infty$  and  $s_0.I(t) \leq upper(I_s(t))$ , let us show  

$$\boxed{s_0.I(t) = \sigma_0(id_t)(\text{"s\_time\_counter"})}.$$

Rewriting  $s_0.I(t)$  as 0, by definition of  $s_0$ ,  $\boxed{\sigma_0(id_t)(\text{"s\_time\_counter"}) = 0}$ .

By property of the  $\mathcal{H}$ -VHDL initialization relation,  $\text{comp}(id_t, \text{"transition"}, gmt, ipm_t, opm_t) \in d.cs$ , and through the examination of the `time_counter` process defined in the transition design architecture, we can deduce  $\boxed{\sigma_0(id_t)(\text{"s\_time\_counter"}) = 0}$ .

□

### A.1.3 Initial states and reset orders

**Lemma 10** (Initial states equal reset orders). *For all  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Definition 30, then  $\forall t \in T_i, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ ,  $s_0.reset_t(t) = \sigma_0(id_t)(\text{"s\_reinit\_time\_counter"})$ .*

*Proof.* Given a  $t \in T_i$  and an  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show that

$$\boxed{s_0.reset_t(t) = \sigma_0(id_t)(\text{"s\_reinit\_time\_counter"})}.$$

Rewriting  $s_0.reset_t(t)$  as `false`, by definition of  $s_0$ ,  $\boxed{\sigma_0(id_t)(\text{"s\_reinit\_time\_counter"}) = \text{false}}$ .

By construction and by definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the  $\mathcal{H}$ -VHDL initialization relation,  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the `reinit_time_counter_evaluation` process defined in the transition design architecture

we can deduce  $\sigma_0(id_t)(s\_reinit\_time\_counter) = \prod_{i=0}^{\Delta(id_t)(ian)-1} \sigma_0(id_t)(rt)[i]$ .

Rewriting  $\sigma_0(id_t)(s\_reinit\_time\_counter)$  as  $\prod_{i=0}^{\Delta(id_t)(ian)-1} \sigma_0(id_t)(rt)[i]$ ,

$$\prod_{i=0}^{\Delta(id_t)(ian)-1} \sigma_0(id_t)(rt)[i] = \text{false.}$$

For all  $t \in T$  (resp.  $p \in P$ ), let  $input(t)$  (resp.  $input(p)$ ) be the set of input places of  $t$  (resp. input transitions of  $p$ ), and let  $output(t)$  (resp.  $output(p)$ ) be the set of output places of  $t$  (resp. output transitions of  $p$ ).

Let us perform case analysis on  $input(t)$ ; there are 2 cases:

- **CASE**  $input(t) = \emptyset$ .

By construction,  $<\text{input\_arcs\_number} \Rightarrow 1> \in gm_t$ , and by property of the elaboration relation, and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , we can deduce  $\Delta(id_t)(ian) = 1$ .

By construction,  $<\text{reinit\_time}(0) \Rightarrow \text{false}> \in ipm_t$ , and by property of the initialization relation and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , we can deduce  $\sigma_0(id_t)(rt)[0] = \text{false}$ .

Rewriting  $\Delta(id_t)(ian)$  as 1 and  $\sigma_0(id_t)(rt)[0]$  as **false**, **tautology**.

- **CASE**  $input(t) \neq \emptyset$ .

To prove the current goal, we can equivalently prove that

$$\exists i \in [0, \Delta(id_t)(ian) - 1] \text{ s.t. } \sigma_0(id_t)(rt)[i] = \text{false.}$$

Since  $input(t) \neq \emptyset$ ,  $\exists p \text{ s.t. } p \in input(t)$ . Let us take such a  $p \in input(t)$ .

By construction, for all  $p \in P$ , there exist  $id_p$  s.t.  $\gamma(p) = id_p$ .

By construction and by definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ .

By construction, there exist  $i \in [0, |input(t)| - 1]$ ,  $j \in [0, |output(p)| - 1]$ ,  $id_{ji} \in Sigs(\Delta)$  s.t.  $<\text{reinit\_transitions\_time}(j) \Rightarrow id_{ji}> \in opm_p$  and  $<\text{reinit\_time}(i) \Rightarrow id_{ji}> \in ipm_t$ . Let us take such a  $i, j$  and  $id_{ji}$ .

By construction and  $input(t) \neq \emptyset$ ,  $<\text{input\_arcs\_number} \Rightarrow |input(t)|> \in gm_t$ .

By property of the  $\mathcal{H}$ -VHDL elaboration relation and  $<\text{input\_arcs\_number} \Rightarrow |input(t)|> \in gm_t$ , we can deduce  $\Delta(id_t)(ian) = |input(t)|$ .

Since  $\Delta(id_t)(ian) = |input(t)|$  and we have an  $i \in [0, |input(t)| - 1]$ , then, we have an  $i \in [0, \Delta(id_t)(ian) - 1]$ . Let us take that  $i$  to prove the goal.

Then, we must show  $\sigma_0(id_t)(rt)[i] = \text{false.}$

By property of the  $\mathcal{H}$ -VHDL initialization relation and  $<\text{reinit\_time}(i) \Rightarrow id_{ji}> \in ipm_t$ , we can deduce  $\sigma_0(id_t)(rt)[i] = \sigma_0("id_{ji}")$ .

Rewriting  $\sigma_0(id_t)(“rtt”)[i]$  as  $\sigma_0(“id_{ji}”)$ ,  $\boxed{\sigma_0(“id_{ji}”) = \text{false.}}$

By property of the  $\mathcal{H}$ -VHDL initialization relation and  $\langle \text{reinit\_transitions\_time}(j) \Rightarrow id_{ji} > \in opm_p$ , we can deduce  $\sigma_0(“id_{ji}”) = \sigma_0(id_p)(“rtt”)[j]$ .

Rewriting  $\sigma_0(“id_{ji}”)$  as  $\sigma_0(id_p)(“rtt”)[j]$ ,  $\boxed{\sigma_p^0(“rtt”)[j] = \text{false.}}$

Since  $t \in output(p)$ , then we know that  $output(p) \neq \emptyset$ .

Then, by construction,  $\langle \text{output\_arcs\_number} \Rightarrow |output(p)| \rangle \in gm_p$ .

By property of the elaboration relation and  $\langle \text{output\_arcs\_number} \Rightarrow |output(p)| \rangle \in gm_p$ , we can deduce that  $\Delta(id_p)(“oan”) = |output(p)|$ .

Since  $\Delta(id_p)(“oan”) = |output(p)|$  and  $j \in [0, |output(p)| - 1]$ , then  $j \in [0, \Delta(id_p)(“oan”) - 1]$ .

By property of the  $\mathcal{H}$ -VHDL initialization relation,  $\text{comp}(id_p, “place”, gm_p, ipm_p, opm_p) \in d.cs$ , through the examination of the  $\text{reinit\_transitions\_time\_evaluation}$  process defined in the place design architecture, and since  $j \in [0, \Delta(id_p)(“oan”) - 1]$ ,  $\boxed{\sigma_0(id_p)(“rtt”)[j] = \text{false.}}$

□

#### A.1.4 Initial states and condition values

**Lemma 11** (Initial states equal condition values). *For all  $sitpn \in SITPN$ ,  $d \in \text{design}$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Definition 30, then  $\forall c \in \mathcal{C}, id_c \in Ins(\Delta)$  s.t.  $\gamma(c) = id_c$ ,  $s_0.cond(c) = \sigma_0(id_c)$ .*

*Proof.* Given a  $c \in \mathcal{C}$  and an  $id_c \in Ins(\Delta)$  s.t.  $\gamma(c) = id_c$ , let us show that  $\boxed{s_0.cond(c) = \sigma_0(id_c)}$ .

Rewriting  $s_0.cond(c)$  as **false**, by definition of  $s_0$ ,  $\boxed{\sigma_0(id_c) = \text{false.}}$

By construction,  $id_c$  is an input port identifier of Boolean type in the  $\mathcal{H}$ -VHDL design  $d$ , and thus, by property of the  $\mathcal{H}$ -VHDL elaboration relation, we can deduce  $\sigma_e(id_c) = \text{false.}$

By property of the  $\mathcal{H}$ -VHDL initialization relation and  $id_c \in Ins(\Delta)$ , we can deduce  $\sigma_e(id_c) = \sigma_0(id_c)$ .

Rewriting  $\sigma_0(id_c)$  as  $\sigma_e(id_c)$  and  $\sigma_e(id_c)$  as **false**, **tautology**.

□

#### A.1.5 Initial states and action executions

**Lemma 12** (Initial states equal action executions). *For all  $sitpn \in SITPN$ ,  $d \in \text{design}$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_{\mathcal{H}})$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Definition 30, then  $\forall a \in \mathcal{A}, id_a \in Outs(\Delta)$  s.t.  $\gamma(a) = id_a$ ,  $s_0.ex(a) = \sigma_0(id_a)$ .*

*Proof.* Given a  $a \in \mathcal{A}$  and an  $id_a \in Outs(\Delta)$  s.t.  $\gamma(a) = id_a$ , let us show that  $\boxed{s_0.ex(a) = \sigma_0(id_a)}$ .

Rewriting  $s_0.ex(a)$  as **false**, by definition of  $s_0$ ,  $\boxed{\sigma_0(id_a) = \text{false.}}$

By construction,  $id_a$  is an output port identifier of Boolean type in the  $\mathcal{H}$ -VHDL design  $d$ . Moreover, we know that the output port identifier  $id_a$  is assigned to **false** in the generated action process during the initialization phase (i.e. the assignment is a part of a *reset* block). Thus, we can deduce that  $\sigma_0(id_a) = \text{false.}$

Rewriting  $\sigma_0(id_a)$  as **false**, **tautology**.

□

### A.1.6 Initial states and function executions

**Lemma 13** (Initial states equal function executions). *For all  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_H)$ ,  $\sigma_e, \sigma_0 \in \Sigma(\Delta)$  that verify the hypotheses of Definition 30, then  $\forall f \in \mathcal{F}, id_f \in Outs(\Delta)$  s.t.  $\gamma(f) = id_f$ ,  $s_0.ex(f) = \sigma_0(id_f)$ .*

*Proof.* Given a  $f \in \mathcal{F}$  and an  $id_f \in Outs(\Delta)$  s.t.  $\gamma(f) = id_f$ , let us show that  $s_0.ex(f) = \sigma_0(id_f)$ .

Rewriting  $s_0.ex(f)$  as **false**, by definition of  $s_0$ ,  $\sigma_0(id_f) = \text{false}$ .

By construction,  $id_f$  is an output port identifier of Boolean type in the  $\mathcal{H}$ -VHDL design  $d$ , and thus, by property of the  $\mathcal{H}$ -VHDL elaboration relation, we can deduce  $\sigma_e(id_f) = \text{false}$ .

By construction, and by property of the initialization relation, we know that the output port identifier  $id_f$  is assigned to **false** in the generated function process during the initialization phase (i.e. the assignment is a part of a *reset* block). Thus, we can deduce  $\sigma_0(id_f) = \text{false}$ .

Rewriting  $\sigma_0(id_f)$  as **false**, tautology.

□

### A.1.7 Initial states and fired transitions

**Lemma 14** (No fired at initial state).  *$\forall d \in design, \Delta \in ElDesign(d, \mathcal{D}_H), \sigma_e, \sigma_0 \in \Sigma(\Delta), id_t \in Comps(\Delta), gm_t, ipm_t, opm_t$  s.t. :*

- $\mathcal{D}_H, \emptyset \vdash d.cs \xrightarrow{\text{elab}} \sigma_0$
- $\Delta, \sigma_e \vdash d.cs \xrightarrow{\text{init}} \sigma_0$
- $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$

then  $\sigma_0(id_t)(\text{"fired"}) = \text{false}$ .

*Proof.* Assuming all the above hypotheses, let us show  $\sigma_0(id_t)(\text{"fired"}) = \text{false}$ .

By property of the initialization relation,  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the *fired\_evaluation* process defined in the transition design architecture, we can deduce:

$$\sigma_0(id_t)(\text{"fired"}) = \sigma_0(id_t)(\text{"s_firable"}) . \sigma_0(id_t)(\text{"s_priority_combination"}) \quad (\text{A.2})$$

Rewriting the goal with Equation (A.2):  $\sigma_0(id_t)(\text{"sfa"}) . \sigma_0(id_t)(\text{"spc"}) = \text{false}$ .

By property of the initialization relation,  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the *firable* process defined in the transition design architecture, we can deduce  $\sigma_0(id_t)(\text{"sfa"}) = \text{false}$ .

Rewriting the goal with  $\sigma_0(id_t)(\text{"sfa"}) = \text{false}$  and simplifying the goal, tautology.

□

## A.2 First Rising Edge

**Definition 31** (First rising edge hypotheses). *Given an  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $\Delta \in ElDesign(d, \mathcal{D}_H)$ ,  $\sigma_e, \sigma_0, \sigma_i, \sigma_\uparrow, \sigma \in \Sigma(\Delta)$ ,  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ ,  $\tau \in \mathbb{N}$ , assume that:*

- $\lfloor sitpn \rfloor_{\mathcal{H}} = (d, \gamma)$  and  $\mathcal{D}_{\mathcal{H}}, \emptyset \vdash d \xrightarrow{\text{elab}} (\Delta, \sigma_e)$  and  $\gamma \vdash E_p \xrightarrow{\text{env}} E_c$
- $\sigma_0$  is the initial state of  $\Delta$ :  $\Delta, \sigma_e \vdash d.cs \xrightarrow{\text{init}} \sigma_0$
- $E_c, \tau \vdash s_0 \xrightarrow{\uparrow_0} s_0$
- $\text{Inject}_{\uparrow}(\sigma_0, E_p, \tau, \sigma_i)$  and  $\Delta, \sigma_i \vdash d.cs \xrightarrow{\uparrow} \sigma_{\uparrow}$  and  $\Delta, \sigma_{\uparrow} \vdash d.cs \xrightarrow{\theta} \sigma$

**Lemma 15** (First rising edge). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_{\uparrow}, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Definition 31, then  $\gamma, E_c, \tau \vdash s_0 \approx^{\uparrow} \sigma$ .*

*Proof.* By definition of the **Full post rising edge state similarity** relation, there are 8 points to prove.

1.  $\forall p \in P, id_p \in Comps(\Delta) \text{ s.t. } \gamma(p) = id_p, s_0.M(p) = \sigma(id_p)(\text{"s_marking"})$ .
2.  $\forall t \in T_i, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(upper(I_s(t)) = \infty \wedge s_0.I(t) \leq lower(I_s(t))) \Rightarrow s_0.I(t) = \sigma(id_t)(\text{"s_time_counter"})$   
 $\wedge (upper(I_s(t)) = \infty \wedge s_0.I(t) > lower(I_s(t))) \Rightarrow \sigma(id_t)(\text{"s_time_counter"}) = lower(I_s(t))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s_0.I(t) > upper(I_s(t))) \Rightarrow \sigma(id_t)(\text{"s_time_counter"}) = upper(I_s(t))$   
 $\wedge (upper(I_s(t)) \neq \infty \wedge s_0.I(t) \leq upper(I_s(t))) \Rightarrow s_0.I(t) = \sigma(id_t)(\text{"s_time_counter"})$ .
3.  $\forall t \in T_i, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, s_0.reset_t(t) = \sigma(id_t)(\text{"s_reinit_time_counter"})$ .
4.  $\forall a \in \mathcal{A}, id_a \in Outs(\Delta) \text{ s.t. } \gamma(a) = id_a, s_0.ex(a) = \sigma(id_a)$ .
5.  $\forall f \in \mathcal{F}, id_f \in Outs(\Delta) \text{ s.t. } \gamma(f) = id_f, s_0.ex(f) = \sigma(id_f)$ .
6.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in Sens(s_0.M) \Leftrightarrow \sigma(id_t)(\text{"s_enabled"}) = \text{true}$ .
7.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \notin Sens(s_0.M) \Leftrightarrow \sigma(id_t)(\text{"s_enabled"}) = \text{false}$ .
8.  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$   

$$\sigma(id_t)(\text{"s_condition_combination"}) = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

where  $\text{conds}(t) = \{c \in \mathcal{C} \mid \mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1\}$ .

- Apply the **First rising edge equal marking** lemma to solve 1.
- Apply the **First rising edge equal time counters** lemma to solve 2.
- Apply the **First rising edge equal reset orders** lemma to solve 3.
- Apply the **First rising edge equal action executions** lemma to solve 4.
- Apply the **First rising edge equal function executions** lemma to solve 5.
- Apply the **First rising edge equal sensitized** lemma to solve 6.
- Apply the **First rising edge not equal sensitized** lemma to solve 7.

- Apply the **First rising edge equal condition combination** lemma to solve 8.

□

### A.2.1 First rising edge and marking

**Lemma 16** (First rising edge equal marking). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_{\uparrow}, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Definition 31, then  $\forall p \in P, id_p \in Comps(\Delta)$  s.t.  $\gamma(p) = id_p, s_0.M(p) = \sigma(id_p)(“s_marking”)$ .*

*Proof.* Given a  $p$  and an  $id_p$  s.t.  $\gamma(p) = id_p$ , let us show that  $s_0.M(p) = \sigma(id_p)(“s_marking”)$ .

By construction and by definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, “place”, gm_p, ipm_p, opm_p) \in d.cs$ .

By property of the  $\text{Inject}_{\uparrow}$  relation, the  $\mathcal{H}$ -VHDL rising edge relation, the stabilize relation,  $\text{comp}(id_p, “place”, gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the marking process defined in the place design architecture, we can deduce:

$$\sigma(id_p)(“sm”) = \sigma_0(id_p)(“sm”) + \sigma_0(id_p)(“sits”) - \sigma_0(id_p)(“sots”) \quad (\text{A.3})$$

Rewriting the goal with Equation (A.3):

$$s_0.M(p) = \sigma_0(id_p)(“sm”) + \sigma_0(id_p)(“sits”) - \sigma_0(id_p)(“sots”).$$

Appealing to Lemmas 7 and 8, we can deduce  $\sigma_0(id_p)(“sits”) = 0$  and  $\sigma_0(id_p)(“sots”) = 0$ . Rewriting the goal with  $\sigma_0(id_p)(“sits”) = 0$  and  $\sigma_0(id_p)(“sots”) = 0$ ,  $s_0.M(p) = \sigma_0(id_p)(“sm”)$ .

Appealing to Lemma 6,  $s_0.M(p) = \sigma_0(id_p)(“sm”)$ .

□

### A.2.2 First rising edge and time counters

**Lemma 17** (First rising edge equal time counters). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_{\uparrow}, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Definition 31, then*

$\forall t \in T_i, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ ,

- $upper(I_s(t)) = \infty \wedge s_0.I(t) \leq lower(I_s(t)) \Rightarrow s_0.I(t) = \sigma(id_t)(“s_time_counter”)$   $\wedge$
- $upper(I_s(t)) = \infty \wedge s_0.I(t) > lower(I_s(t)) \Rightarrow \sigma(id_t)(“s_time_counter”) = lower(I_s(t))$   $\wedge$
- $upper(I_s(t)) \neq \infty \wedge s_0.I(t) > upper(I_s(t)) \Rightarrow \sigma(id_t)(“s_time_counter”) = upper(I_s(t))$   $\wedge$
- $upper(I_s(t)) \neq \infty \wedge s_0.I(t) \leq upper(I_s(t)) \Rightarrow s_0.I(t) = \sigma(id_t)(“s_time_counter”)$ .

*Proof.* Given a  $t \in T_i$  and an  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show that:

$$1. \boxed{upper(I_s(t)) = \infty \wedge s_0.I(t) \leq lower(I_s(t)) \Rightarrow s_0.I(t) = \sigma(id_t)(“s_time_counter”)}$$

$$2. \boxed{upper(I_s(t)) = \infty \wedge s_0.I(t) > lower(I_s(t)) \Rightarrow \sigma(id_t)(“s_time_counter”) = lower(I_s(t))}$$

$$3. \boxed{upper(I_s(t)) \neq \infty \wedge s_0.I(t) > upper(I_s(t)) \Rightarrow \sigma(id_t)(“s_time_counter”) = upper(I_s(t))}$$

$$4. \boxed{upper(I_s(t)) \neq \infty \wedge s_0.I(t) \leq upper(I_s(t)) \Rightarrow s_0.I(t) = \sigma(id_t)(“s_time_counter”)}$$

By construction and by definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, “transition”, gm_t, ipm_t, opm_t) \in d.cs$ .

Then, let us show the 4 previous points:

1. Assuming that  $\text{upper}(I_s(t)) = \infty$  and  $s_0.I(t) \leq \text{lower}(I_s(t))$ , let us show  $s_0.I(t) = \sigma(id_t)(\text{"stc"})$ .

By property of the  $\text{Inject}_\uparrow$  relation, the  $\mathcal{H}$ -VHDL rising edge and stabilize relations, and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , we can deduce  $\sigma(id_t)(\text{"stc"}) = \sigma_0(id_t)(\text{"stc"})$ .

Rewriting  $\sigma(id_t)(\text{"stc"})$  as  $\sigma_0(id_t)(\text{"stc"})$ ,  $s_0.I(t) = \sigma_0(id_t)(\text{"stc"})$ .

Appealing to Lemma 9,  $s_0.I(t) = \sigma_0(id_t)(\text{"stc"})$ .

2. Assuming that  $\text{upper}(I_s(t)) = \infty$  and  $s_0.I(t) > \text{lower}(I_s(t))$ , let us show

$$\sigma(id_t)(\text{"stc"}) = \text{lower}(I_s(t)).$$

By definition,  $\text{lower}(I_s(t)) \in \mathbb{N}^*$  and  $s_0.I(t) = 0$ . Then,  $\text{lower}(I_s(t)) < 0$  is a contradiction.

3. Assuming that  $\text{upper}(I_s(t)) \neq \infty$  and  $s_0.I(t) > \text{upper}(I_s(t))$ , let us show

$$\sigma(id_t)(\text{"stc"}) = \text{upper}(I_s(t)).$$

By definition,  $\text{upper}(I_s(t)) \in \mathbb{N}^*$  and  $s_0.I(t) = 0$ . Then,  $\text{upper}(I_s(t)) < 0$  is a contradiction.

4. Assuming that  $\text{upper}(I_s(t)) \neq \infty$  and  $s_0.I(t) \leq \text{upper}(I_s(t))$ , let us show

$$s_0.I(t) = \sigma(id_t)(\text{"stc"}).$$

By property of the  $\text{Inject}_\uparrow$  relation, the  $\mathcal{H}$ -VHDL rising edge and stabilize relations, and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , we can deduce  $\sigma(id_t)(\text{"stc"}) = \sigma_0(id_t)(\text{"stc"})$ .

Rewriting  $\sigma(id_t)(\text{"stc"})$  as  $\sigma_0(id_t)(\text{"stc"})$ ,  $s_0.I(t) = \sigma_0(id_t)(\text{"stc"})$ .

Appealing to Lemma 9,  $s_0.I(t) = \sigma_0(id_t)(\text{"stc"})$ .

□

### A.2.3 First rising edge and reset orders

**Lemma 18** (First rising edge equal reset orders). *For all  $\text{sitpn}, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_\uparrow, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Definition 31, then*

$\forall t \in T, id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t, s_0.\text{reset}_t(t) = \sigma(id_t)(\text{"s_reinit_time_counter"})$ .

*Proof.* Given a  $t \in T$  and an  $id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show that

$$s_0.\text{reset}_t(t) = \sigma(id_t)(\text{"srtc"}).$$

By construction and by definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the stabilize relation,  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the `reinit_time_counter_evaluation` process defined in the transition design architecture, we can deduce:

$$\sigma(id_t)(\text{"srtc"}) = \sum_{i=0}^{\Delta(id_t)(\text{"input_arcs_number"})-1} \sigma(id_t)(\text{"reinit_time"})[i] \quad (\text{A.4})$$

Rewriting the goal with Equation (A.4):  $s_0.\text{reset}_t(t) = \sum_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma(id_t)(\text{"rt"})[i]$ .

Let us perform case analysis on  $\text{input}(t)$ ; there are two cases:

- **CASE**  $\text{input}(t) = \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow 1 \rangle \in gm_t$ , and by property of the  $\mathcal{H}$ -VHDL elaboration relation, we can deduce  $\Delta(id_t)(\text{"ian"}) = 1$ .

By construction,  $\langle \text{reinit\_time}(0) \Rightarrow \text{false} \rangle \in ipm_t$ , and by property of the  $\mathcal{H}$ -VHDL stabilize relation,  $\sigma(id_t)(\text{"rt"})[0] = \text{false}$ .

Rewriting the goal with  $\Delta(id_t)(\text{"ian"}) = 1$  and  $\sigma(id_t)(\text{"rt"})[0] = \text{false}$ ,  $s_0.\text{reset}_t(t) = \text{false}$ .

By definition of  $s_0$ ,  $s_0.\text{reset}_t(t) = \text{false}$ .

- **CASE**  $\text{input}(t) \neq \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow |\text{input}(t)| \rangle \in gm_t$ , and by property of the  $\mathcal{H}$ -VHDL elaboration relation, we can deduce  $\Delta(id_t)(\text{"ian"}) = |\text{input}(t)|$ .

Rewriting  $\Delta(id_t)(\text{"ian"})$  as  $|\text{input}(t)|$ ,  $s_0.\text{reset}_t(t) = \sum_{i=0}^{|\text{input}(t)|-1} \sigma(id_t)(\text{"rt"})[i]$ .

By definition of  $s_0$ ,  $s_0.\text{reset}_t(t) = \text{false}$ . Rewriting  $s_0.\text{reset}_t(t)$  as  $\text{false}$ ,

$\sum_{i=0}^{|\text{input}(t)|-1} \sigma(id_t)(\text{"rt"})[i] = \text{false}$ .

Given a  $i \in [0, |\text{input}(t)| - 1]$ , let us show  $\sigma(id_t)(\text{"rt"})[i] = \text{false}$ .

By construction, and since  $\text{input}(t) \neq \emptyset$ , there exist a  $p \in \text{input}(t)$ , an  $id_p \in \text{Comps}(\Delta)$  s.t.  $\gamma(p) = id_p$ , a  $gm_p$ , an  $ipm_p$ , an  $opm_p$  s.t.  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ , and there exist a  $j \in [0, |\text{output}(p)| - 1]$  and an  $id_{ji} \in \text{Sigs}(\Delta)$  s.t.  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ .

By property of the stabilize relation,  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ , we can deduce  $\sigma(id_t)(\text{"rt"})[i] = \sigma(id_{ji}) = \sigma(id_p)(\text{"rtt"})[j]$ .

Rewriting  $\sigma(id_t)(\text{"rt"})[i]$  as  $\sigma(id_{ji})$  and  $\sigma(id_{ji})$  as  $\sigma(id_p)(\text{"rtt"})[j]$ ,  $\sigma(id_p)(\text{"rtt"})[j] = \text{false}$ .

By property of the  $\mathcal{H}$ -VHDL rising edge and stabilize relations,  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the process defined in the place design architecture, we can deduce:

$$\begin{aligned} \sigma(id_p)(\text{"rtt"})[j] &= ((\sigma_0(id_p)(\text{"oat"})[j] = \text{basic} + \sigma_0(id_p)(\text{"oat"})[j] = \text{test}) \\ &\quad \cdot (\sigma_0(id_p)(\text{"sm"}) - \sigma_0(id_p)(\text{"sots"}) < \sigma_0(id_p)(\text{"oaw"})[j])) \\ &\quad \cdot (\sigma_0(id_p)(\text{"sots"}) > 0)) \\ &\quad + (\sigma_0(id_p)(\text{"otf"})[j]) \end{aligned} \tag{A.5}$$

Rewriting the goal with Equation (A.5),

$\text{false} = ((\sigma_0(id_p)(\text{"oat"})[j] = \text{basic} + \sigma_0(id_p)(\text{"oat"})[j] = \text{test})$   
 $\cdot (\sigma_0(id_p)(\text{"sm"}) - \sigma_0(id_p)(\text{"sots"}) < \sigma_0(id_p)(\text{"oaw"})[j]))$   
 $\cdot (\sigma_0(id_p)(\text{"sots"}) > 0))$   
 $+ (\sigma_0(id_p)(\text{"otf"})[j]))$

By construction, there exists an  $id_{fj} \in Sigs(\Delta)$  s.t.  $\langle fired \Rightarrow id_{fj} \rangle \in opm_t$  and  $\langle output\_transitions\_fired(j) \Rightarrow id_{fj} \rangle \in ipm_p$ .

By property of the initialization relation,  $\langle fired \Rightarrow id_{fj} \rangle \in opm_t$  and  $\langle output\_transitions\_fired(j) \Rightarrow id_{fj} \rangle \in ipm_p$ , we can deduce  $\sigma_0(id_p)(“otf”)[j] = \sigma_0(id_{fj}) = \sigma_0(id_t)(“fired”)$ .

Appealing to Lemma 14, we can deduce  $\sigma_0(id_t)(“fired”) = \text{false}$  and consequently  $\sigma_0(id_p)(“otf”)[j] = \text{false}$ .

Rewriting  $\sigma_0(id_p)(“otf”)[j]$  as **false** and simplifying the goal,

$$\begin{aligned} \text{false} = & ((\sigma_0(id_p)(“oat”)[j] = \text{BASIC} + \sigma_0(id_p)(“oat”)[j] = \text{TEST}) \\ & \cdot (\sigma_0(id_p)(“sm”) - \sigma_0(id_p)(“sots”) < \sigma_0(id_p)(“oaw”)[j])) \\ & \cdot (\sigma_0(id_p)(“sots”) > 0)) \end{aligned}$$

Appealing to Lemma 8, we can deduce  $\sigma_0(id_p)(“sots”) = 0$ .

Rewriting  $\sigma_0(id_p)(“sots”)$  as 0 and simplifying the goal, **tautology**. □

#### A.2.4 First rising edge and action executions

**Lemma 19** (First rising edge equal action executions). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_\uparrow, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Definition 31, then*

$$\forall a \in \mathcal{A}, id_a \in Outs(\Delta) \text{ s.t. } \gamma(a) = id_a, s_0.ex(a) = \sigma(id_a).$$

*Proof.* Given an  $a \in \mathcal{A}$  and an  $id_a \in Outs(\Delta)$  s.t.  $\gamma(a) = id_a$ , let us show that  $s_0.ex(a) = \sigma(id_a)$ .

By construction,  $id_a$  is an output port identifier of Boolean type in the  $\mathcal{H}$ -VHDL design  $d$ . The generated action process assigns a value to the output port  $id_a$  only during the initialization phase or a falling edge phase.

By property of the  $\text{Inject}_\uparrow$ ,  $\mathcal{H}$ -VHDL rising edge and stabilize relations, we can deduce  $\sigma(id_a) = \sigma_0(id_a)$ .

Rewriting  $\sigma(id_a)$  as  $\sigma_0(id_a)$ ,  $s_0.ex(a) = \sigma_0(id_a)$ . Appealing to Lemma 12,  $s_0.ex(a) = \sigma_0(id_a)$ . □

#### A.2.5 First rising edge and function executions

**Lemma 20** (First rising edge equal function executions). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_\uparrow, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Definition 31, then*

$$\forall f \in \mathcal{F}, id_f \in Outs(\Delta) \text{ s.t. } \gamma(f) = id_f, s_0.ex(f) = \sigma(id_f).$$

*Proof.* Given an  $f \in \mathcal{F}$  and an  $id_f \in Outs(\Delta)$  s.t.  $\gamma(f) = id_f$ , let us show that  $s_0.ex(f) = \sigma(id_f)$ .

Rewriting  $s_0.ex(f)$  as **false**, by definition of  $s_0$ ,  $\sigma(id_f) = \text{false}$ .

By construction,  $id_f$  is an output port identifier of Boolean type in the  $\mathcal{H}$ -VHDL design  $d$ . The generated function process assigns a value to the output port  $id_f$  only during the initialization phase or during a rising edge phase.

By construction, the function process is defined in the behavior of design  $d$ , i.e.

$$\text{ps}(\text{"function"}, \emptyset, sl, ss) \in d.cs$$

Let  $\text{trs}(f)$  be the set of transitions associated to function  $f$ , i.e  $\text{trs}(f) = \{t \in T \mid \mathbb{F}(t, f) = \text{true}\}$ .

Let us perform case analysis on  $\text{trs}(f)$ ; there are two cases:

- **CASE**  $\text{trs}(f) = \emptyset$ :

By construction,  $\text{id}_f \Leftarrow \text{false} \in ss_{\uparrow}$  where  $ss_{\uparrow}$  is the part of the “function” process body executed during a rising edge phase (i.e. a rising edge block statement).

By property of the  $\mathcal{H}$ -VHDL rising edge and the stabilize relation,  $\sigma(\text{id}_f) = \text{false}$ .

- **CASE**  $\text{trs}(f) \neq \emptyset$ :

By construction,  $\text{id}_f \Leftarrow \text{id}_{ft_0} + \dots + \text{id}_{ft_n} \in ss_{\uparrow}$  where  $ss_{\uparrow}$  is the part of the “function” process body executed during the rising edge phase, and  $n = |\text{trs}(f)| - 1$ , and for all  $i \in [0, n - 1]$ ,  $\text{id}_{ft_i}$  is a internal signal of design  $d$ .

By property of the  $\text{Inject}_{\uparrow}$ , the  $\mathcal{H}$ -VHDL rising edge and stabilize relations, we can deduce  $\sigma(\text{id}_f) = \sigma_0(\text{id}_{ft_0}) + \dots + \sigma_0(\text{id}_{ft_n})$ .

Rewriting  $\sigma(\text{id}_f)$  as  $\sigma_0(\text{id}_{ft_0}) + \dots + \sigma_0(\text{id}_{ft_n})$ ,  $\boxed{\sigma_0(\text{id}_{ft_0}) + \dots + \sigma_0(\text{id}_{ft_n}) = \text{false}}$ .

By construction, for all  $\text{id}_{ft_i}$ , there exist a  $t_i \in \text{trs}(f)$  and an  $\text{id}_{t_i}$  s.t.  $\gamma(t_i) = \text{id}_{t_i}$ .

By construction and by definition of  $\text{id}_{t_i}$ , there exist  $gm_{t_i}$ ,  $ipm_{t_i}$  and  $opm_{t_i}$  s.t.  $\text{comp}(\text{id}_{t_i}, \text{"transition"}, gm_{t_i}, ipm_{t_i}, opm_{t_i}) \in d.cs$ .

By construction,  $\langle \text{fire} \Rightarrow \text{id}_{ft_i} \rangle \in opm_{t_i}$ , and by property of the initialization relation  $\sigma_0(\text{id}_{ft_i}) = \sigma_0(\text{id}_{t_i})(\text{"fired"})$ .

Rewriting  $\sigma_0(\text{id}_{ft_i})$  as  $\sigma_0(\text{id}_{t_i})(\text{"fired"})$ ,  $\boxed{\sigma_0(\text{id}_{t_0})(\text{"fired"}) + \dots + \sigma_0(\text{id}_{t_n})(\text{"fired"}) = \text{false}}$ .

Appealing to Lemma 14, we can deduce  $\sigma_0(\text{id}_{t_i})(\text{"fired"}) = \text{false}$ .

Rewriting all  $\sigma_0(\text{id}_{t_i})(\text{"fired"})$  as  $\text{false}$  and simplifying the goal, tautology.

□

### A.2.6 First rising edge and sensitization

**Lemma 21** (First rising edge equal sensitized). *For all  $\text{sitpn}, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_{\uparrow}, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Definition 31, then*

$$\forall t \in T, \text{id}_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = \text{id}_t, t \in \text{Sens}(s_0.M) \Leftrightarrow \sigma(\text{id}_t)(\text{"s_enabled"}) = \text{true}$$

*Proof.* See the proof of Lemma 30. □

**Lemma 22** (First rising edge not equal sensitized). *For all  $\text{sitpn}, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_{\uparrow}, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Definition 31, then*

$$\forall t \in T, \text{id}_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = \text{id}_t, t \notin \text{Sens}(s_0.M) \Leftrightarrow \sigma(\text{id}_t)(\text{"s_enabled"}) = \text{false}$$

*Proof.* See the proof of Lemma 31. □

### A.2.7 First rising edge and condition combination

**Lemma 23** (First rising edge equal condition combination). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, \sigma_0, \sigma_i, \sigma_\uparrow, \sigma, E_c, E_p, \tau$  that verify the hypotheses of Definition 31, then*

$\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ ,

$$\sigma(id_t)(\text{"s\_condition\_combination"}) = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

where  $\text{conds}(t) = \{c \in \mathcal{C} \mid \mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1\}$ .

*Proof.* See the proof of Lemma 25.  $\square$

## A.3 Rising Edge

**Definition 32** (Rising edge hypotheses). *Given an  $sitpn \in SITPN$ ,  $d \in design$ ,  $\gamma \in WM(sitpn, d)$ ,  $E_c \in \mathbb{N} \rightarrow \mathcal{C} \rightarrow \mathbb{B}$ ,  $\Delta \in ElDesign(d, \mathcal{D}_H)$ ,  $E_p \in (\mathbb{N} \times \{\uparrow, \downarrow\}) \rightarrow Ins(\Delta) \rightarrow value$ ,  $\tau \in \mathbb{N}$ ,  $s, s' \in S(sitpn)$ ,  $\sigma_e, \sigma, \sigma_i, \sigma_\uparrow, \sigma' \in \Sigma(\Delta)$ , assume that:*

- $\lfloor sitpn \rfloor_H = (d, \gamma)$  and  $\gamma \vdash E_p \stackrel{\text{env}}{=} E_c$  and  $\mathcal{D}_H, \emptyset \vdash d \xrightarrow{\text{elab}} \Delta, \sigma_e$
- $\gamma \vdash s \overset{\downarrow}{\approx} \sigma$
- $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$
- $\text{Inject}_\uparrow(\sigma, E_p, \tau, \sigma_i)$  and  $\mathcal{D}_H, \Delta, \sigma_i \vdash d.cs \xrightarrow{\uparrow} \sigma_\uparrow$  and  $\mathcal{D}_H, \Delta, \sigma_\uparrow \vdash d.cs \xrightarrow{\sim} \sigma'$
- State  $\sigma$  is a stable design state:  $\mathcal{D}_H, \Delta, \sigma \vdash d.cs \xrightarrow{\text{comb}} \sigma$

### A.3.1 Rising edge and Marking

**Lemma 24** (Rising edge equal marking). *For all  $sitpn, d, \gamma, E_c, E_p, \tau, \Delta, \sigma_e, s, s', \sigma, \sigma_i, \sigma_\uparrow, \sigma'$  that verify the hypotheses of Def. 32, then  $\forall p, id_p$  s.t.  $\gamma(p) = id_p$ ,  $s.M(p) = \sigma'(id_p)(\text{"s_marking"})$ .*

*Proof.* Given a  $p \in P$ , let us show  $\boxed{s'.M(p) = \sigma'(id_p)(\text{"s_marking"})}$ .

By construction and by definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ .

By definition of the SITPN state transition relation on rising edge:

$$s'.M(p) = s.M(p) - \sum_{t \in Fired(s)} pre(p, t) + \sum_{t \in Fired(s)} post(t, p) \quad (\text{A.6})$$

By property of the  $\text{Inject}_\uparrow$ , the  $H$ -VHDL rising edge and the stabilize relations,  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the marking process defined in the place design architecture, we can deduce:

$$\begin{aligned} \sigma'(id_p)(\text{"sm"}) &= \sigma(id_p)(\text{"sm"}) - \sigma(id_p)(\text{"s_output_token_sum"}) \\ &\quad + \sigma(id_p)(\text{"s_input_token_sum"}) \end{aligned} \quad (\text{A.7})$$

Rewriting the goal with A.6 and A.7,

$$s.M(p) - \sum_{t \in Fired(s)} pre(p, t) + \sum_{t \in Fired(s)} post(t, p) = \sigma(id_p)(“sm”) - \sigma(id_p)(“sots”) + \sigma(id_p)(“sits”).$$

By definition of the **Full post falling edge state similarity** relation, we can deduce  $s.M(p) = \sigma(id_p)(“sm”), \sum_{t \in Fired(s)} pre(p, t) = \sigma(id_p)(“sots”) \text{ and } \sum_{t \in Fired(s)} post(t, p) = \sigma(id_p)(“sits”),$  and thus,

$$s.M(p) - \sum_{t \in Fired(s)} pre(p, t) + \sum_{t \in Fired(s)} post(t, p) = \sigma(id_p)(“sm”) - \sigma(id_p)(“sots”) + \sigma(id_p)(“sits”).$$

□

### A.3.2 Rising edge and condition combination

**Lemma 25** (Rising edge equal condition combination). *For all  $sitpn, d, \gamma, E_c, E_p, \tau, \Delta, \sigma_e, s, s', \sigma, \sigma_i, \sigma_\uparrow, \sigma'$  that verify the hypotheses of Def. 32, then*

$\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$

$$\sigma'(id_t)(“s\_condition\_combination”) = \prod_{c \in cond(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

where  $cond(t) = \{c \in \mathcal{C} \mid \mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1\}.$

*Proof.* Given a  $t$  and an  $id_t$  s.t.  $\gamma(t) = id_t$ , let us show

$$\sigma'(id_t)(“s\_condition\_combination”) = \prod_{c \in cond(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}.$$

By construction and by definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, “transition”, gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the  $\mathcal{H}$ -VHDL stabilize relation,  $\text{comp}(id_t, “transition”, gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the condition\_evaluation process defined in the transition design architecture, we can deduce:

$$\sigma'(id_t)(“scc”) = \prod_{i=0}^{\Delta(id_t)(“conditions\_number”) - 1} \sigma'(id_t)(“input_conditions”)[i] \quad (\text{A.8})$$

Rewriting the goal with A.8,

$$\prod_{i=0}^{\Delta(id_t)(“cn”) - 1} \sigma'(id_t)(“ic”)[i] = \prod_{c \in cond(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}.$$

Let us perform case analysis on  $cond(t)$ ; there are two cases:

- **CASE**  $cond(t) = \emptyset$ :  $\prod_{i=0}^{\Delta(id_t)(“cn”) - 1} \sigma'(id_t)(“ic”)[i] = \text{true}.$

By construction,  $\langle \text{conditions\_number} \Rightarrow 1 \rangle \in gm_t$  and  $\langle \text{input\_conditions}(0) \Rightarrow \text{true} \rangle \in ipm_t$ .

By property of the stabilize relation,  $\langle \text{conditions\_number} \Rightarrow 1 \rangle \in gm_t$  and  $\langle \text{input\_conditions}(0) \Rightarrow \text{true} \rangle \in ipm_t$ , we can deduce  $\Delta(id_t)(“cn”) = 1$  and  $\sigma'(id_t)(“ic”)[0] = \text{true}$ .

Rewriting the goal with  $\Delta(id_t)(“cn”) = 1$  and  $\sigma'(id_t)(“ic”)[0] = \text{true}$ , **tautology**.

- **CASE**  $\text{conds}(t) \neq \emptyset$ :

By construction,  $\langle \text{conditions\_number} \Rightarrow |\text{conds}(t)| \rangle \in gm_t$ , and by property of the stabilize relation, we can deduce  $\Delta(id_t)(\text{"cn"}) = |\text{conds}(t)|$ .

Rewriting the goal with  $\Delta(id_t)(\text{"cn"}) = |\text{conds}(t)|$ :

$$\prod_{i=0}^{|\text{conds}(t)|-1} \sigma'(id_t)(\text{"ic"})[i] = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

Let us reason by induction on the left product term:

- **BASE CASE:**  $\prod_{i=0}^{|\text{conds}(t)|-1} \sigma'(id_t)(\text{"ic"})[i] = 0$  and  $|\text{conds}(t)| - 1 < 0$ . Thus, we can deduce that  $|\text{conds}(t)| = 0$  which contradicts  $\text{conds}(t) \neq \emptyset$ .

- **INDUCTION CASE:**

$$\forall \text{conds}' \subseteq \mathcal{C}, \prod_{i=1}^{|\text{conds}(t)|-1} \sigma'(id_t)(\text{"ic"})[i] = \prod_{c \in \text{conds}'} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

$$\sigma'(id_t)(\text{"ic"})[0] \cdot \prod_{i=1}^{|\text{conds}(t)|-1} \sigma'(id_t)(\text{"ic"})[i] = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

By construction, for all  $i \in [0, |\text{conds}(t)| - 1]$ , there exists  $c \in \text{conds}(t)$  and an  $id_c \in \text{Ins}(\Delta)$  such that

- \*  $\gamma(c) = id_c$
- \*  $\mathbb{C}(t, c) = 1$  implies  $\langle \text{input\_conditions}(i) \Rightarrow id_c \rangle \in ipm_t$
- \*  $\mathbb{C}(t, c) = -1$  implies  $\langle \text{input\_conditions}(i) \Rightarrow \text{not } id_c \rangle \in ipm_t$

For  $i = 0$ , let us take such a  $c \in \text{conds}(t)$  and an  $id_c$  with the above properties. By definition of  $c \in \text{conds}(t)$ , we can deduce  $\mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1$ . Let us perform case analysis on  $\mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1$ :

- \* **CASE**  $\mathbb{C}(t, c) = 1$ :

Then, we have  $\langle \text{input\_conditions}(0) \Rightarrow id_c \rangle \in ipm_t$  and by property of the stabilize relation, we can deduce  $\sigma(id_t)(\text{"ic"})[0] = \sigma'(id_c)$ .

Rewriting the goal with  $\sigma(id_t)(\text{"ic"})[0] = \sigma'(id_c)$ :

$$\sigma'(id_c) \cdot \prod_{i=1}^{|\text{conds}(t)|-1} \sigma'(id_t)(\text{"ic"})[i] = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

By property of the  $\text{Inject}_\uparrow$  relation and  $id_c \in \text{Ins}(\Delta)$ , we can deduce  $\sigma'(id_c) = E_p(\tau, \uparrow)(id_c)$ .

By property of  $\gamma \vdash E_p \stackrel{\text{env}}{=} E_c$ , we can deduce  $E_p(\tau, \uparrow)(id_c) = E_c(\tau, c)$ .

Rewriting the goal with  $\sigma'(id_c) = E_p(\tau, \uparrow)(id_c)$  and  $E_p(\tau, \uparrow)(id_c) = E_c(\tau, c)$ :

$$E_c(\tau, c) \cdot \prod_{i=1}^{|\text{conds}(t)|-1} \sigma'(id_t)(\text{"ic"})[i] = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

By definition of the  $\prod$  operator, we can rewrite the right term of the goal as follows:

$$E_c(\tau, c) \cdot \prod_{i=1}^{|conds(t)|-1} \sigma'(id_t)(\text{"ic"})[i] = E_c(\tau, c) \cdot \prod_{c' \in conds(t) \setminus \{c\}} \begin{cases} E_c(\tau, c') & \text{if } \mathbb{C}(t, c') = 1 \\ \text{not}(E_c(\tau, c')) & \text{if } \mathbb{C}(t, c') = -1 \end{cases}$$

Appealing to the induction hypothesis, tautology.

\* **CASE  $\mathbb{C}(t, c) = -1$ :**

Then, we have  $\langle \text{input\_conditions}(0) \Rightarrow \text{not id}_c \rangle \in ipm_t$  and by property of the stabilize relation, we can deduce  $\sigma(id_t)(\text{"ic"})[0] = \text{not } \sigma'(id_c)$ .

Rewriting the goal with  $\sigma(id_t)(\text{"ic"})[0] = \text{not } \sigma'(id_c)$ :

$$\text{not } \sigma'(id_c) \cdot \prod_{i=1}^{|conds(t)|-1} \sigma'(id_t)(\text{"ic"})[i] = \prod_{c \in conds(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

By property of the  $\text{Inject}_{\uparrow}$  relation and  $id_c \in \text{Ins}(\Delta)$ , we can deduce  $\sigma'(id_c) = E_p(\tau, \uparrow)(id_c)$ .

By property of  $\gamma \vdash E_p \xrightarrow{\text{env}} E_c$ , we can deduce  $E_p(\tau, \uparrow)(id_c) = E_c(\tau, c)$ .

Rewriting the goal with  $\sigma'(id_c) = E_p(\tau, \uparrow)(id_c)$  and  $E_p(\tau, \uparrow)(id_c) = E_c(\tau, c)$ :

$$\text{not } E_c(\tau, c) \cdot \prod_{i=1}^{|conds(t)|-1} \sigma'(id_t)(\text{"ic"})[i] = \prod_{c \in conds(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$$

By definition of the  $\prod$  operator, we can rewrite the right term of the goal as follows:

$$\text{not } E_c(\tau, c) \cdot \prod_{i=1}^{|conds(t)|-1} \sigma'(id_t)(\text{"ic"})[i] = \text{not } E_c(\tau, c) \cdot \prod_{c' \in conds(t) \setminus \{c\}} \begin{cases} E_c(\tau, c') & \text{if } \mathbb{C}(t, c') = 1 \\ \text{not}(E_c(\tau, c')) & \text{if } \mathbb{C}(t, c') = -1 \end{cases}$$

Appealing to the induction hypothesis, tautology.

□

### A.3.3 Rising edge and time counters

**Lemma 26** (Rising edge equal time counters). *For all  $sitpn, d, \gamma, E_p, E_c, \tau, \Delta, \sigma_e, s, s', \sigma, \sigma_i, \sigma_{\uparrow}, \sigma'$  that verify the hypotheses of Def. 32, then*

$$\begin{aligned} \forall t \in T_i, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t, \\ (\text{upper}(I_s(t)) = \infty \wedge s'.I(t) \leq \text{lower}(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"}) \\ \wedge (\text{upper}(I_s(t)) = \infty \wedge s'.I(t) > \text{lower}(I_s(t))) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = \text{lower}(I_s(t)) \\ \wedge (\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) > \text{upper}(I_s(t))) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = \text{upper}(I_s(t)) \\ \wedge (\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) \leq \text{upper}(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"})). \end{aligned}$$

*Proof.* Given a  $t \in T_i$  and an  $id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show

$$\begin{aligned} (\text{upper}(I_s(t)) = \infty \wedge s'.I(t) \leq \text{lower}(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"}) \\ \wedge (\text{upper}(I_s(t)) = \infty \wedge s'.I(t) > \text{lower}(I_s(t))) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = \text{lower}(I_s(t)) \\ \wedge (\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) > \text{upper}(I_s(t))) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = \text{upper}(I_s(t)) \\ \wedge (\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) \leq \text{upper}(I_s(t))) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"})) \end{aligned}$$

By construction and by definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ .

Then, there are 4 points to show:

1.  $\boxed{\text{upper}(I_s(t)) = \infty \wedge s'.I(t) \leq \text{lower}(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"})}$

Assuming that  $\text{upper}(I_s(t)) = \infty$  and  $s'.I(t) \leq \text{lower}(I_s(t))$ , let us show

$$s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"}).$$

By property of the  $\text{Inject}_\uparrow$ ,  $\mathcal{H}$ -VHDL rising edge and stabilize relations,  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the `time_counter` process defined in the transition design architecture, we can deduce  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"})$ .

By property of  $\gamma \vdash s \stackrel{\downarrow}{\approx} \sigma$ , we can deduce  $s.I(t) = \sigma(id_t)(\text{"stc"})$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"})$  and  $s.I(t) = \sigma(id_t)(\text{"stc"})$ , tautology.

$$2. \quad \boxed{\text{upper}(I_s(t)) = \infty \wedge s'.I(t) > \text{lower}(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s\_time\_counter"}) = \text{lower}(I_s(t))}.$$

Proved in the same fashion as 1.

$$3. \quad \boxed{\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) > \text{upper}(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s\_time\_counter"}) = \text{upper}(I_s(t))}.$$

Proved in the same fashion as 1.

$$4. \quad \boxed{\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) \leq \text{upper}(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"})}$$

Proved in the same fashion as 1.

□

#### A.3.4 Rising edge and reset orders

**Lemma 27** (Rising edge equal reset orders). *For all  $\text{sitpn}, d, \gamma, E_c, E_p, \tau, \Delta, \sigma_e, s, s', \sigma, \sigma_i, \sigma_\uparrow, \sigma'$  that verify the hypotheses of Def. 32, then*

$$\forall t \in T_i, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t, s'.\text{reset}_t(t) = \sigma'(id_t)(\text{"s_reinit_time_counter"})$$

*Proof.* Given a  $t \in T_i$  and an  $id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show

$$s'.\text{reset}_t(t) = \sigma'(id_t)(\text{"s_reinit_time_counter"}).$$

By construction and by definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the  $\mathcal{H}$ -VHDL stabilize relation,  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the `reinit_time_counter_evaluation` process defined in the transition design architecture, we can deduce:

$$\sigma'(id_t)(\text{"srtc"}) = \sum_{i=0}^{\Delta(id_t)(\text{"input_arcs_number"})-1} \sigma'(id_t)(\text{"reinit_time"})[i] \quad (\text{A.9})$$

$$\text{Rewriting the goal with (A.9), } s'.\text{reset}_t(t) = \sum_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"rt"})[i].$$

Let us perform case analysis on  $\text{input}(t)$ ; there are two cases:

- **CASE**  $\text{input}(t) = \emptyset$ :

By construction,  $\langle \text{input_arcs_number} \Rightarrow 1 \rangle \in gm_t$ , and by property of the elaboration relation, we can deduce  $\Delta(id_t)(\text{"ian"}) = 1$ .

By construction, there exists an  $id_{ft} \in Sigs(\Delta)$  s.t.  $\langle \text{reinit\_time}(0) \Rightarrow id_{ft} \rangle \in ipm_t$  and  $\langle \text{fired} \Rightarrow id_{ft} \rangle \in opm_t$ , and by property of the stabilize relation and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , we can deduce  $\sigma'(id_t)(“rt”)[0] = \sigma'(id_{ft}) = \sigma'(id_t)(“fired”)$ .

Rewriting the goal with  $\Delta(id_t)(“ian”) = 1$  and  $\sigma'(id_t)(“rt”)[0] = \sigma'(id_{ft}) = \sigma'(id_t)(“fired”)$ :  
 $s'.reset_t(t) = \sigma'(id_t)(“fired”)$ .

By property of the stabilize relation,  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the `fired_evaluation` process, we can deduce:

$$\sigma'(id_t)(“fired”) = \sigma'(id_t)(“s_firable”) . \sigma'(id_t)(“s_priority_combination”) \quad (\text{A.10})$$

Rewriting the goal with (A.10):

$$s'.reset_t(t) = \sigma'(id_t)(“s_firable”) . \sigma'(id_t)(“s_priority_combination”).$$

By property of the stabilize relation,  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the `priority_authorization_evaluation` process defined in the transition design architecture, we can deduce:

$$\sigma'(id_t)(“spc”) = \prod_{i=0}^{\Delta(id_t)(“ian”)-1} \sigma'(id_t)(“priority_authorizations”)[i] \quad (\text{A.11})$$

As  $\Delta(id_t)(“ian”) = 1$ , we can deduce  $\prod_{i=0}^{\Delta(id_t)(“ian”)-1} \sigma'(id_t)(“pauths”)[i] = \sigma'(id_t)(“pauths”)[0]$ .

Rewriting the goal with (A.11) and  $\prod_{i=0}^{\Delta(id_t)(“ian”)-1} \sigma'(id_t)(“pauths”)[i] = \sigma'(id_t)(“pauths”)[0]$ :  
 $s'.reset_t(t) = \sigma'(id_t)(“s_firable”) . \sigma'(id_t)(“pauths”)[0]$ .

By construction,  $\langle \text{priority_authorizations}(0) \Rightarrow \text{true} \rangle \in ipm_t$ , and by property of the stabilize relation and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , we can deduce  $\sigma'(id_t)(“pauths”)[0] = \text{true}$ .

Rewriting the goal with  $\sigma'(id_t)(“pauths”)[0] = \text{true}$ , and simplifying the equation:

$$s'.reset_t(t) = \sigma'(id_t)(“s_firable”).$$

Let us perform case analysis on  $t \in Fired(s)$  or  $t \notin Fired(s)$ :

- **CASE**  $t \in Fired(s)$ :

By property of  $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$  (Rule (8)), we can deduce  $s'.reset_t(t) = \text{true}$ .

Rewriting the goal with  $s'.reset_t(t) = \text{true}$ :  $\sigma'(id_t)(“s_firable”) = \text{true}$ .

By property of the stabilize, the  $\mathcal{H}$ -VHDL rising edge and the `Inject $\uparrow$`  relations,  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the `firable` process defined in the transition design architecture, we can deduce  $\sigma(id_t)(“s_firable”) = \sigma'(id_t)(“s_firable”)$ .

Rewriting the goal with  $\sigma(id_t)(“s_firable”) = \sigma'(id_t)(“s_firable”), \sigma(id_t)(“s_firable”) = \text{true}$ .

By property of  $\gamma \vdash s \approx \sigma$ , we can deduce  $t \in Fired(s) \Leftrightarrow \sigma(id_t)(“sfa”) = \text{true}$ .

Rewriting the goal with  $t \in Fired(s) \Leftrightarrow \sigma(id_t)(“sfa”) = \text{true}, t \in Fired(s)$ .

By property of  $t \in Fired(s)$ ,  $t \in Firable(s)$ .

- **CASE**  $t \notin Fired(s)$ :

By property of  $input(t) = \emptyset$ , there does not exist any input place connected to  $t$  by a basic or test arc. Thus, by property of  $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$  (Rule (8)), we can deduce  $s'.reset_t(t) = \text{false}$ .  
Rewriting the goal with  $s'.reset_t(t) = \text{false}$ :  $\sigma'(id_t)(\text{"s\_firable"}) = \text{false}$ .

By property of the stabilize, the  $\mathcal{H}$ -VHDL rising edge and the  $\text{Inject}_\uparrow$  relations,  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the firable process defined in the transition design architecture, we can deduce  $\sigma(id_t)(\text{"sfa"}) = \sigma'(id_t)(\text{"sfa"})$ .

Rewriting the goal with  $\sigma(id_t)(\text{"sfa"}) = \sigma'(id_t)(\text{"sfa"})$ ,  $\sigma(id_t)(\text{"sfa"}) = \text{false}$ .

By property of  $\gamma \vdash s \overset{\downarrow}{\approx} \sigma$ , we can deduce  $t \notin Firable(s) \Leftrightarrow \sigma(id_t)(\text{"sfa"}) = \text{false}$ .

By property of  $t \notin Fired(s)$  and  $input(t) = \emptyset$ ,  $t \notin Firable(s)$ .

- **CASE**  $input(t) \neq \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow |input(t)| \rangle \in gm_t$ , and by property of the elaboration relation, we can deduce  $\Delta(id_t)(\text{"ian"}) = |input(t)|$ .

Rewriting the goal with  $\Delta(id_t)(\text{"ian"}) = |input(t)|$ ,  $s'.reset_t(t) = \sum_{i=0}^{|input(t)|-1} \sigma'(id_t)(\text{"rt"})[i]$ .

Let us perform case analysis on  $t \in Fired(s)$  or  $t \notin Fired(s)$ :

- **CASE**  $t \in Fired(s)$ :

By property of  $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$  (Rule (8)), we can deduce  $s'.reset_t(t) = \text{true}$ .

Rewriting the goal with  $s'.reset_t(t) = \text{true}$ ,  $\sum_{i=0}^{|input(t)|-1} \sigma'(id_t)(\text{"rt"})[i] = \text{true}$ .

To prove the goal, let us show  $\exists i \in [0, |input(t)| - 1] \text{ s.t. } \sigma'(id_t)(\text{"rt"})[i] = \text{true}$ .

By construction, and  $input(t) \neq \emptyset$ , there exist  $p \in input(t)$  and  $id_p \in \text{Comps}(\Delta)$  s.t.  $\gamma(p) = id_p$ .

By construction and by definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ .

By construction, there exist an  $i \in [0, |input(t)| - 1]$ , a  $j \in [0, |output(p)| - 1]$  and  $id_{ji} \in Sigs(\Delta)$  s.t.  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and

$\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ . Let us take such an  $i, j$  and  $id_{ji}$ , and let us use  $i$  to prove the goal:  $\sigma'(id_t)(\text{"rt"})[i] = \text{true}$ .

By property of the stabilize relation,  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ , we can deduce  $\sigma'(id_t)(\text{"rt"})[i] = \sigma'(id_{ji}) = \sigma'(id_p)(\text{"rtt"})[j]$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"rt"})[i] = \sigma'(id_{ji}) = \sigma'(id_p)(\text{"rtt"})[j]$ ,  $\sigma'(id_p)(\text{"rtt"})[j] = \text{true}$ .

By property of the  $\text{Inject}_\uparrow$ , the  $\mathcal{H}$ -VHDL rising edge and the stabilize relations,  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the `reinit_transitions_time_evaluation` process defined in the place design architecture, we can deduce:

$$\begin{aligned} \sigma'(id_p)(“rtt”)[j] = & ((\sigma(id_p)(“oat”)[j] = \text{basic} + \sigma(id_p)(“oat”)[j] = \text{test}) \\ & .(\sigma(id_p)(“sm”) - \sigma(id_p)(“sots”) < \sigma(id_p)(“oaw”)[j]) \\ & .(\sigma(id_p)(“sots”) > 0)) \\ & + \sigma(id_p)(“otf”)[j] \end{aligned} \quad (\text{A.12})$$

Rewriting the goal with (A.12),

$$\begin{aligned} \text{true} = & ((\sigma(id_p)(“oat”)[j] = \text{basic} + \sigma(id_p)(“oat”)[j] = \text{test}) \\ & .(\sigma(id_p)(“sm”) - \sigma(id_p)(“sots”) < \sigma(id_p)(“oaw”)[j]) \\ & .(\sigma(id_p)(“sots”) > 0)) \\ & + (\sigma(id_p)(“otf”)[j]) \end{aligned}$$

By construction, there exists  $id_{ft} \in Sigs(\Delta)$  s.t.  $\langle \text{output\_transitions\_fired}(j) \Rightarrow id_{ft} \rangle \in ipm_p$  and  $\langle \text{fired} \Rightarrow id_{ft} \rangle \in opm_t$ . By property of state  $\sigma$  as being a stable state, we can deduce  $\sigma(id_t)(“fired”) = \sigma(id_{ft}) = \sigma(id_p)(“otf”)[j]$ .

Rewriting the goal with  $\sigma(id_t)(“fired”) = \sigma(id_{ft}) = \sigma(id_p)(“otf”)[j]$ ,

$$\begin{aligned} \text{true} = & ((\sigma(id_p)(“oat”)[j] = \text{basic} + \sigma(id_p)(“oat”)[j] = \text{test}) \\ & .(\sigma(id_p)(“sm”) - \sigma(id_p)(“sots”) < \sigma(id_p)(“oaw”)[j]) \\ & .(\sigma(id_p)(“sots”) > 0)) \\ & + \sigma(id_t)(“fired”) \end{aligned}$$

By property of  $\gamma \vdash s \stackrel{\downarrow}{\approx} \sigma$ , we can deduce  $t \in Fired(s) \Leftrightarrow \sigma(id_t)(“fired”) = \text{true}$ .

Rewriting the goal with  $t \in Fired(s) \Leftrightarrow \sigma(id_t)(“fired”) = \text{true}$  and simplify the goal, then tautology.

- **CASE**  $t \notin Fired(s)$ : Then, there are two cases that will determine the value of  $s'.reset_t(t)$ . Either there exists a place  $p$  with an output token sum greater than zero, that is connected to  $t$  by an `basic` or `test` arc, and such that the transient marking of  $p$  disables  $t$ ; or such a place does not exist (the predicate is decidable).

\* **CASE** there exists such a place  $p$  as described above:

Then, let us take such a place  $p$  and  $\omega \in \mathbb{N}^*$  s.t.:

1.  $\sum_{t_i \in Fired(s)} pre(p, t_i) > 0$
2.  $pre(p, t) = (\omega, \text{basic}) \vee pre(p, t) = (\omega, \text{test})$
3.  $s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) < \omega$

We will only consider the case where  $pre(p, t) = (\omega, \text{basic})$ ; the proof is the similar when  $pre(p, t) = (\omega, \text{test})$ .

Assuming that  $p$  exists, and by property of  $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$  (Rule (8)), we can deduce  $s'.reset_t(t) = \text{true}$ .

Rewriting the goal with  $s'.reset_t(t) = \text{true}$ ,  $\sum_{i=0}^{|input(t)|-1} \sigma'(id_t)(\text{"rt"})[i] = \text{true}$ .

To prove the goal, let us show  $\exists i \in [0, |input(t)| - 1] \text{ s.t. } \sigma'(id_t)(\text{"rt"})[i] = \text{true}$ .

By construction, there exists  $id_p \in Comps(\Delta)$  s.t.  $\gamma(p) = id_p$ .

By construction and by definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ .

By construction, there exist an  $i \in [0, |input(t)| - 1]$ , a  $j \in [0, |output(p)| - 1]$  and  $id_{ji} \in Sigs(\Delta)$  s.t.  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and

$\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ . Let us take such an  $i, j$  and  $id_{ji}$ , and let us use  $i$  to prove the goal:  $\sigma'(id_t)(\text{"rt"})[i] = \text{true}$ .

By property of the stabilize relation,  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ , we can deduce  $\sigma'(id_t)(\text{"rt"})[i] = \sigma'(id_{ji}) = \sigma'(id_p)(\text{"rtt"})[j]$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"rt"})[i] = \sigma'(id_{ji}) = \sigma'(id_p)(\text{"rtt"})[j]$ ,  $\sigma'(id_p)(\text{"rtt"})[j] = \text{true}$ .

By property of the Inject $\uparrow$ , the  $\mathcal{H}$ -VHDL rising edge and the stabilize relation, and through the examination of the reinit\_transitions\_time\_evaluation process defined in the place design architecture, we can deduce:

$$\begin{aligned} \sigma'(id_p)(\text{"rtt"})[j] &= ((\sigma(id_p)(\text{"oat"})[j] = \text{basic} + \sigma(id_p)(\text{"oat"})[j] = \text{test}) \\ &\quad \cdot (\sigma(id_p)(\text{"sm"}) - \sigma(id_p)(\text{"sots"}) < \sigma(id_p)(\text{"oaw"})[j]) \\ &\quad \cdot (\sigma(id_p)(\text{"sots"}) > 0)) \\ &\quad + \sigma(id_p)(\text{"otf"})[j] \end{aligned} \tag{A.13}$$

Rewriting the goal with (A.13),

$$\begin{aligned} \text{true} &= ((\sigma(id_p)(\text{"oat"})[j] = \text{basic} + \sigma(id_p)(\text{"oat"})[j] = \text{test}) \\ &\quad \cdot (\sigma(id_p)(\text{"sm"}) - \sigma(id_p)(\text{"sots"}) < \sigma(id_p)(\text{"oaw"})[j]) \\ &\quad \cdot (\sigma(id_p)(\text{"sots"}) > 0)) \\ &\quad + \sigma(id_p)(\text{"otf"})[j] \end{aligned}$$

By construction,  $\langle \text{output_arcs_types}(j) \Rightarrow \text{basic} \rangle \in ipm_p$  and  $\langle \text{output_arcs_weights}(j) \Rightarrow \omega \rangle \in ipm_p$ .

By property of the stabilize relation and  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\sigma'(id_p)(\text{"oat"})[j] = \text{basic}$  and  $\sigma'(id_p)(\text{"oaw"})[j] = \omega$ .

By property of  $\gamma \vdash s \approx \sigma$ , we can deduce  $\sigma(id_p)(\text{"sm"}) = s.M(p)$  and  $\sigma(id_p)(\text{"sots"}) = \sum_{t_i \in Fired(s)} pre(p, t_i)$ .

Rewriting the goal with  $\sigma'(id_p)(\text{"oat"})[j] = \text{basic}$ ,  $\sigma'(id_p)(\text{"oaw"})[j] = \omega$ ,  $\sigma(id_p)(\text{"sm"}) = s.M(p)$  and  $\sigma(id_p)(\text{"sots"}) = \sum_{t_i \in Fired(s)} pre(p, t_i)$ , and simplifying the goal:

$$((s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) < \omega) \cdot (\sum_{t_i \in Fired(s)} pre(p, t_i) > 0)) + \sigma(id_t)(\text{"fired"}) = \text{true}$$

We assumed that  $s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) < \omega$  and  $\sum_{t_i \in Fired(s)} pre(p, t_i) > 0$ . Thus, by assumption:

$$((s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) < \omega) . (\sum_{t_i \in Fired(s)} pre(p, t_i) > 0)) + \sigma(id_t)(“fired”) = \text{true}$$

\* **CASE** such a place does not exist:

Then, let us assume that, for all place  $p \in P$

1.  $\sum_{t_i \in Fired(s)} pre(p, t_i) = 0$
2. or  $\forall \omega \in \mathbb{N}^*, pre(p, t) = (\omega, \text{basic}) \vee pre(p, t) = (\omega, \text{test}) \Rightarrow s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) \geq \omega$ .

In that case, by property of  $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$  (Rule (8)), we can deduce  $s'.reset_t(t) = \text{false}$ .

Rewriting the goal with  $s'.reset_t(t) = \text{false}$ :  $\sum_{i=0}^{|input(t)|-1} \sigma'(id_t)(“rt”)[i] = \text{false}$ .

To prove the goal, let us show  $\forall i \in [0, |input(t)| - 1], \sigma'(id_t)(“rt”)[i] = \text{false}$ .

Given an  $i \in [0, |input(t)| - 1]$ , let us show  $\sigma'(id_t)(“rt”)[i] = \text{false}$ .

By construction, there exist a  $p \in input(t)$ , an  $id_p \in Comps(\Delta)$ ,  $gm_p, ipm_p, opm_p$ , a  $j \in [0, |output(p)| - 1]$ , an  $id_{ji} \in Sigs(\Delta)$  s.t.  $\gamma(p) = id_p$  and  $\text{comp}(id_p, “place”, gm_p, ipm_p, opm_p) \in d.cs$  and  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ . Let us take such a  $p, id_p, gm_p, ipm_p, opm_p, j$  and  $id_{ji}$ .

By property of the stabilize relation,  $\langle \text{reinit\_transition\_time}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{reinit\_time}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ , we can deduce  $\sigma'(id_t)(“rt”)[i] = \sigma'(id_{ji}) = \sigma'(id_p)(“rtt”)[j]$ .

Rewriting the goal with  $\sigma'(id_t)(“rt”)[i] = \sigma'(id_{ji}) = \sigma'(id_p)(“rtt”)[j]$ :  $\sigma'(id_p)(“rtt”)[j] = \text{false}$ .

By property of the  $\text{Inject}_\uparrow$ , the  $\mathcal{H}$ -VHDL rising edge and the stabilize relations,  $\text{comp}(id_p, “place”, gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the  $\text{reinit\_transitions\_time\_evaluation}$  process defined in the place design architecture, we can deduce:

$$\begin{aligned} \sigma'(id_p)(“rtt”)[j] = & ((\sigma(id_p)(“oat”)[j] = \text{basic} + \sigma(id_p)(“oat”)[j] = \text{test}) \\ & .(\sigma(id_p)(“sm”) - \sigma(id_p)(“sots”) < \sigma(id_p)(“oaw”)[j]) \\ & .(\sigma(id_p)(“sots”) > 0)) \\ & + \sigma(id_p)(“otf”)[j] \end{aligned} \quad (\text{A.14})$$

Rewriting the goal with (A.14),

$$\begin{aligned} \text{false} = & ((\sigma(id_p)(“oat”)[j] = \text{basic} + \sigma(id_p)(“oat”)[j] = \text{test}) \\ & .(\sigma(id_p)(“sm”) - \sigma(id_p)(“sots”) < \sigma(id_p)(“oaw”)[j]) \\ & .(\sigma(id_p)(“sots”) > 0)) \\ & + \sigma(id_p)(“otf”)[j]) \end{aligned}$$

By construction, there exists  $id_{ft} \in Sigs(\Delta)$  s.t.  $\langle \text{output\_transitions\_fired}(j) \Rightarrow id_{ft} \rangle \in ipm_p$  and  $\langle \text{fired} \Rightarrow id_{ft} \rangle \in opm_t$ . By property of state  $\sigma$  as being a stable state, we can

deduce  $\sigma(id_t)(“fired”) = \sigma(id_{ft}) = \sigma(id_p)(“otf”)[j]$ .

Rewriting the goal with  $\sigma(id_t)(“fired”) = \sigma(id_{ft}) = \sigma(id_p)(“otf”)[j]$ :

$$\begin{aligned} \text{false} = & ((\sigma(id_p)(“oat”)[j] = \text{basic} + \sigma(id_p)(“oat”)[j] = \text{test}) \\ & \cdot (\sigma(id_p)(“sm”) - \sigma(id_p)(“sots”) < \sigma(id_p)(“oaw”)[j]) \\ & \cdot (\sigma(id_p)(“sots”) > 0)) \\ & + \sigma(id_t)(“fired”) \end{aligned}$$

By property of  $\gamma \vdash s \overset{\downarrow}{\approx} \sigma$ , we can deduce  $t \notin Fired(s) \Leftrightarrow \sigma(id_t)(“fired”) = \text{false}$

Rewriting the goal with  $t \notin Fired(s) \Leftrightarrow \sigma(id_t)(“fired”) = \text{false}$  and simplifying the goal:

$$\begin{aligned} \text{false} = & ((\sigma(id_p)(“oat”)[j] = \text{basic} + \sigma(id_p)(“oat”)[j] = \text{test}) \\ & \cdot (\sigma(id_p)(“sm”) - \sigma(id_p)(“sots”) < \sigma(id_p)(“oaw”)[j]) \\ & \cdot (\sigma(id_p)(“sots”) > 0)) \end{aligned}$$

Then, based on the assumptions made at the beginning of case, there are two cases:

1. **CASE**  $\sum_{t_i \in Fired(s)} pre(p, t_i) = 0$ :

By property of  $\gamma \vdash s \overset{\downarrow}{\approx} \sigma$ , we can deduce  $\sum_{t_i \in Fired(s)} pre(p, t_i) = \sigma(id_p)(“sots”)$ .

Rewriting the goal with  $\sum_{t_i \in Fired(s)} pre(p, t_i) = \sigma(id_p)(“sots”)$  and  $\sum_{t_i \in Fired(s)} pre(p, t_i) = 0$ ,

and simplifying the goal: **tautology**.

2. **CASE**  $\forall \omega \in \mathbb{N}^*, pre(p, t) = (\omega, \text{basic}) \vee pre(p, t) = (\omega, \text{test}) \Rightarrow$

$$s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) \geq \omega:$$

Let us perform case analysis on  $pre(p, t)$ ; there are two cases:

- (a) **CASE**  $pre(p, t) = (\omega, \text{basic})$  or  $pre(p, t) = (\omega, \text{test})$ :

By construction,  $<\text{output\_arcs\_weights}(j) \Rightarrow \omega> \in ipm_p$ .

By property of stable state  $\sigma$  and  $\text{comp}(id_p, “place”, gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\sigma(id_p)(“oaw”)[j] = \omega$ .

By property of  $\gamma \vdash s \overset{\downarrow}{\approx} \sigma$ , we can deduce  $\sigma(id_p)(“sm”) = s.M(p)$  and  $\sigma(id_p)(“sots”) = \sum_{t_i \in Fired(s)} pre(p, t_i)$ .

Rewriting the goal with  $\sigma(id_p)(“oaw”)[j] = \omega, \sigma(id_p)(“sm”) = s.M(p)$  and  $\sigma(id_p)(“sots”) = \sum_{t_i \in Fired(s)} pre(p, t_i)$ :

$$\begin{aligned} \text{false} = & ((\sigma(id_p)(“oat”)[j] = \text{basic} + \sigma(id_p)(“oat”)[j] = \text{test}) \\ & \cdot (s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) < \omega) \\ & \cdot (\sum_{t_i \in Fired(s)} pre(p, t_i) > 0)) \end{aligned}$$

We assumed that  $s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) \geq \omega$ , and then we can deduce  $s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) < \omega = \text{false}$ .

Rewriting the goal with  $s.M(p) - \sum_{t_i \in Fired(s)} pre(p, t_i) < \omega = \text{false}$ , and simplifying the goal, tautology.

(b) **CASE**  $pre(p, t) = (\omega, \text{inhib})$ :

By construction,  $\langle \text{output\_arcs\_types}(j) \Rightarrow \text{inhib} \rangle \in ipm_p$ .

By property of stable state  $\sigma$  and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\sigma(id_p)(\text{"oat"})[j] = \text{inhib}$ .

Rewriting the goal with  $\sigma(id_p)(\text{"oat"})[j] = \text{inhib}$ , and simplifying the goal, tautology.

□

### A.3.5 Rising edge and action executions

**Lemma 28** (Rising edge equal action executions). *For all  $sitpn, d, \gamma, E_c, E_p, \tau, \Delta, \sigma_e, s, s', \sigma, \sigma_i, \sigma_\uparrow, \sigma'$  that verify the hypotheses of Def. 32, then*

$$\forall a \in \mathcal{A}, id_a \in Outs(\Delta) \text{ s.t. } \gamma(a) = id_a, s'.ex(a) = \sigma'(id_a).$$

*Proof.* Given an  $a \in \mathcal{A}$  and an  $id_a \in Outs(\Delta)$  s.t.  $\gamma(a) = id_a$ , let us show  $s'.ex(a) = \sigma'(id_a)$ .

By property of  $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$ , we can deduce  $s.ex(a) = s'.ex(a)$ .

By construction,  $id_a$  is an output port identifier of Boolean type in the  $\mathcal{H}$ -VHDL design  $d$ . The generated “action” process is responsible for the assignment of the  $id$   $a$  only during the initialization phase or during a falling edge phase.

By property of the  $\mathcal{H}$ -VHDL  $\text{Inject}_\uparrow$ , rising edge, stabilize relations, and the “action” process, we can deduce  $\sigma(id_a) = \sigma'(id_a)$ .

Rewriting the goal with  $s.ex(a) = s'.ex(a)$  and  $\sigma(id_a) = \sigma'(id_a)$ ,  $s.ex(a) = \sigma(id_a)$ .

By property of  $\gamma \vdash s \approx \sigma, s.ex(a) = \sigma(id_a)$ .

□

### A.3.6 Rising edge and function executions

**Lemma 29** (Rising edge equal function executions). *For all  $sitpn, d, \gamma, E_c, E_p, \tau, \Delta, \sigma_e, s, s', \sigma, \sigma_i, \sigma_\uparrow, \sigma'$  that verify the hypotheses of Def. 32, then*

$$\forall f \in \mathcal{F}, id_f \in Outs(\Delta) \text{ s.t. } \gamma(f) = id_f, s'.ex(f) = \sigma'(id_f).$$

*Proof.* Given an  $f \in \mathcal{F}$  and an  $id_f \in Outs(\Delta)$  s.t.  $\gamma(f) = id_f$ , let us show  $s'.ex(f) = \sigma'(id_f)$ .

By property of  $E_c, \tau \vdash s \xrightarrow{\uparrow} s'$  (Rule (9)):

$$s'.ex(f) = \sum_{t \in Fired(s)} \mathbb{F}(t, f) \tag{A.15}$$

By construction,  $id_f$  is an output port identifier of Boolean type in the  $\mathcal{H}$ -VHDL design  $d$ . The generated function process assigns a value to the output port  $id_f$  only during the initialization phase or during a rising edge phase.

By construction, the function process is defined in the behavior of design  $d$ , i.e.

$$\text{ps}("function", \emptyset, sl, ss) \in d.cs.$$

Let  $\text{trs}(f)$  be the set of transitions associated to function  $f$ , i.e  $\text{trs}(f) = \{t \in T \mid \mathbb{F}(t, f) = \text{true}\}$ .

Let us perform case analysis on  $\text{trs}(f)$ ; there are two cases:

- **CASE**  $\text{trs}(f) = \emptyset$ :

By construction,  $\text{id}_f \Leftarrow \text{false} \in ss_{\uparrow}$  where  $ss_{\uparrow}$  is the part of the function process body executed during a rising edge phase.

By property of the  $\mathcal{H}$ -VHDL rising edge, the stabilize relations and  $\text{ps}("function", \emptyset, sl, ss) \in d.cs$ , we can deduce  $\sigma'(\text{id}_f) = \text{false}$ .

By property of  $\sum_{t \in \text{ Fired}(s)} \mathbb{F}(t, f)$  and  $\text{trs}(f) = \emptyset$ , we can deduce  $\sum_{t \in \text{ Fired}(s)} \mathbb{F}(t, f) = \text{false}$ .

Rewriting the goal with (A.15),  $\sigma'(\text{id}_f) = \text{false}$  and  $\sum_{t \in \text{ Fired}(s)} \mathbb{F}(t, f) = \text{false}$ : tautology.

- **CASE**  $\text{trs}(f) \neq \emptyset$ :

By construction,  $\text{id}_f \Leftarrow \text{id}_{ft_0} + \dots + \text{id}_{ft_n} \in ss_{\uparrow}$ , where  $\text{id}_{ft_i} \in \text{Sigs}(\Delta)$ ,  $ss_{\uparrow}$  is the part of the function process body executed during a rising edge phase, and  $n = |\text{trs}(f)| - 1$ .

By property of the  $\text{Inject}_{\uparrow}$ , the  $\mathcal{H}$ -VHDL rising edge, the stabilize relations, and  $\text{ps}("function", \emptyset, sl, ss) \in d.cs$ , we can deduce:

$$\sigma'(\text{id}_f) = \sigma(\text{id}_{ft_0}) + \dots + \sigma(\text{id}_{ft_n}) \quad (\text{A.16})$$

Rewriting the goal with (A.15) and (A.16),  $\boxed{\sum_{t \in \text{ Fired}(s)} \mathbb{F}(t, f) = \sigma(\text{id}_{ft_0}) + \dots + \sigma(\text{id}_{ft_n})}$

Let us reason on the value of  $\sigma(\text{id}_{ft_0}) + \dots + \sigma(\text{id}_{ft_n})$ ; there are two cases:

- **CASE**  $\sigma(\text{id}_{ft_0}) + \dots + \sigma(\text{id}_{ft_n}) = \text{true}$ :

Then, we can rewrite the goal as follows:  $\boxed{\sum_{t \in \text{ Fired}(s)} \mathbb{F}(t, f) = \text{true}}$

To prove the above goal, let us show  $\boxed{\exists t \in \text{ Fired}(s) \text{ s.t. } \mathbb{F}(t, f) = \text{true}}$ .

From  $\sigma(\text{id}_{ft_0}) + \dots + \sigma(\text{id}_{ft_n}) = \text{true}$ , we can deduce  $\exists \text{id}_{ft_i} \text{ s.t. } \sigma(\text{id}_{ft_i}) = \text{true}$ . Let us take such an  $\text{id}_{ft_i}$ .

By construction, there exist a  $t \in \text{trs}(f)$ , an  $\text{id}_t \in \text{Comps}(\Delta)$ ,  $gm_t, ipm_t, opm_t$  such that:

- \*  $\gamma(t) = \text{id}_t$
- \*  $\text{comp}(\text{id}_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$
- \*  $\langle \text{fire} \Rightarrow \text{id}_{ft_i} \rangle \in opm_t$

By property of  $\sigma$  as being a stable design state, and  $\text{comp}(\text{id}_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , we can deduce  $\sigma(\text{id}_t)(\text{"fired"}) = \sigma(\text{id}_{ft_i})$ , and thus that  $\sigma(\text{id}_t)(\text{"fired"}) = \text{true}$ .

By property of  $\gamma \vdash s \approx \sigma$ , we can deduce  $t \in \text{ Fired}(s)$ .

Let us use  $t$  to prove the goal:  $\boxed{\mathbb{F}(t, f) = \text{true}}$ .

By definition of  $t \in \text{trs}(f)$ ,  $\boxed{\mathbb{F}(t, f) = \text{true}}$ .

- **CASE**  $\sigma(id_{ft_0}) + \dots + \sigma(id_{ft_n}) = \text{false}$ :

Then, we can rewrite the goal as follows:  $\sum_{t \in Fired(s)} \mathbb{F}(t, f) = \text{false}$ .

To prove the above goal, let us show  $\forall t \in Fired(s) \text{ s.t. } \mathbb{F}(t, f) = \text{false}$ .

Given a  $t \in Fired(s)$ , let us show  $\mathbb{F}(t, f) = \text{false}$ .

Let us perform case analysis on  $\mathbb{F}(t, f)$ ; there are 2 cases:

\* **CASE**  $\mathbb{F}(t, f) = \text{false}$ .

\* **CASE**  $\mathbb{F}(t, f) = \text{true}$ :

By construction, there exist an  $id_t \in Comps(\Delta)$ ,  $gm_t$ ,  $ipm_t$ ,  $opm_t$  and  $id_{ft_i} \in Sigs(\Delta)$  such that:

- $\gamma(t) = id_t$
- $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$
- $<\text{fired} \Rightarrow id_{ft_i}> \in opm_t$

By property of stable design state  $\sigma$  and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , we can deduce  $\sigma(id_t)(\text{"fired"}) = \sigma(id_{ft_i})$ .

By property of  $\gamma \vdash s \approx \sigma$ , we can deduce  $t \in Fired(s) \Leftrightarrow \sigma(id_t)(\text{"fired"}) = \text{true}$ .

Since  $t \in Fired(s)$ , we can deduce  $\sigma(id_t)(\text{"fired"}) = \text{true}$ , and from  $\sigma(id_t)(\text{"fired"}) = \sigma(id_{ft_i})$ , we can deduce  $\sigma(id_{ft_i}) = \text{true}$ .

Then,  $\sigma(id_{ft_i}) = \text{true}$  contradicts  $\sigma(id_{ft_0}) + \dots + \sigma(id_{ft_n}) = \text{false}$ .

□

### A.3.7 Rising edge and sensitization

**Lemma 30** (Rising edge equal sensitized). *For all  $sitpn$ ,  $d$ ,  $\gamma$ ,  $E_c$ ,  $E_p$ ,  $\tau$ ,  $\Delta$ ,  $\sigma_e$ ,  $s$ ,  $s'$ ,  $\sigma$ ,  $\sigma_i$ ,  $\sigma_\uparrow$ ,  $\sigma'$  that verify the hypotheses of Def. 32, then*

$\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \in Sens(s'.M) \Leftrightarrow \sigma'(id_t)(\text{"s\_enabled"}) = \text{true}$ .

*Proof.* Given a  $t \in T$  and an  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show

$t \in Sens(s'.M) \Leftrightarrow \sigma'(id_t)(\text{"s\_enabled"}) = \text{true}$ .

By construction and by definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ . Then, the proof is in two parts:

1. Assuming that  $t \in Sens(s'.M)$ , let us show  $\sigma'(id_t)(\text{"s\_enabled"}) = \text{true}$ .

By property of the stabilize relation,  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the enable\_evaluation process defined in the transition design architecture:

$$\sigma'(id_t)(\text{"se"}) = \prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"input_arcs_valid"})[i] \quad (\text{A.17})$$

Rewriting the goal with (A.17),  $\prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"iav"})[i] = \text{true}$ .

To prove the goal, let us show that  $\forall i \in [0, \Delta(id_t)(\text{"ian"}) - 1], \sigma'(id_t)(\text{"iav"})[i] = \text{true}$ .

Given an  $i \in [0, \Delta(id_t)(\text{"ian"}) - 1]$ , let us show  $\sigma'(id_t)(\text{"iav"})[i] = \text{true}$ .

Let us perform case analysis on  $\text{input}(t)$ .

- **CASE**  $\text{input}(t) = \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow 1 \rangle \in gm_t$  and  $\langle \text{input\_arcs\_valid}(0) \Rightarrow \text{true} \rangle \in ipm_t$ .

By property of the elaboration and stabilize relations and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , we can deduce  $\Delta(id_t)(\text{"ian"}) = 1$  and  $\sigma'(id_t)(\text{"iav"})[0] = \text{true}$ .

Thanks to  $\Delta(id_t)(\text{"ian"}) = 1$ , we can deduce that  $i = 0$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"iav"})[0] = \text{true}$ , tautology.

- **CASE**  $\text{input}(t) \neq \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow |\text{input}(t)| \rangle \in gm_t$ .

By property of the elaboration relation and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , we can deduce  $\Delta(id_t)(\text{"ian"}) = |\text{input}(t)|$ .

Thanks to  $\Delta(id_t)(\text{"ian"}) = |\text{input}(t)|$ , we know that  $i \in [0, |\text{input}(t)| - 1]$ .

By construction, there exist a  $p \in \text{input}(t), id_p \in \text{Comps}(\Delta), gm_p, ipm_p, opm_p, j \in [0, |\text{output}(p)| - 1]$  and  $id_{ji} \in Sigs(\Delta)$  s.t.  $\gamma(p) = id_p$  and

$\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$  and  $\langle \text{output\_arcs\_valid}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{input\_arcs\_valid}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ .

By property of the stabilize relation,  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$  and  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\sigma'(id_t)(\text{"iav"})[i] = \sigma'(id_{ji}) = \sigma'(id_p)(\text{"oav"})[j]$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"iav"})[i] = \sigma'(id_{ji}) = \sigma'(id_p)(\text{"oav"})[j]$ :

$\sigma'(id_p)(\text{"oav"})[j] = \text{true}$ .

By property of the stabilize relation,  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the marking\_validation\_evaluation process defined in the place design architecture, we can deduce:

$$\begin{aligned} \sigma'(id_p)(\text{"oav"})[j] &= ((\sigma'(id_p)(\text{"oat"})[j] = \text{basic} + \sigma'(id_p)(\text{"oat"})[j] = \text{test}) \\ &\quad \cdot \sigma'(id_p)(\text{"sm"}) \geq \sigma'(id_p)(\text{"oaw"})[j]) \\ &\quad + (\sigma'(id_p)(\text{"oat"})[j] = \text{inhib} \cdot \sigma'(id_p)(\text{"sm"}) < \sigma'(id_p)(\text{"oaw"})[j]) \end{aligned} \tag{A.18}$$

Rewriting the goal with (A.18),

$$\begin{aligned} \text{true} &= ((\sigma'(id_p)(\text{"oat"})[j] = \text{basic} + \sigma'(id_p)(\text{"oat"})[j] = \text{test}) \\ &\quad \cdot \sigma'(id_p)(\text{"sm"}) \geq \sigma'(id_p)(\text{"oaw"})[j]) \\ &\quad + (\sigma'(id_p)(\text{"oat"})[j] = \text{inhib} \cdot \sigma'(id_p)(\text{"sm"}) < \sigma'(id_p)(\text{"oaw"})[j]) \end{aligned}$$

Let us perform case analysis on  $\text{pre}(p, t)$ ; there are 3 cases:

- **CASE**  $\text{pre}(p, t) = (\omega, \text{basic})$ :

By construction,  $\langle \text{output\_arcs\_types}(j) \Rightarrow \text{basic} \rangle \in ipm_p$  and  $\langle \text{output\_arcs\_weights}(j) \Rightarrow \omega \rangle \in ipm_p$ .

By property of the stabilize relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\sigma'(id_p)(\text{"oat"})[j] = \text{basic}$  and  $\sigma'(id_p)(\text{"oaw"})[j] = \omega$ .

Rewriting the goal with  $\sigma'(id_p)(\text{"oat"})[j] = \text{basic}$  and  $\sigma'(id_p)(\text{"oaw"})[j] = \omega$ , and simplifying the goal:

$$\boxed{\sigma'(id_p)(\text{"sm"}) \geq \omega = \text{true.}}$$

Appealing to Lemma 24, we can deduce  $s'.M(p) = \sigma'(id_p)(\text{"sm"})$ .

Rewriting the goal with  $s'.M(p) = \sigma'(id_p)(\text{"sm"})$ :

$$\boxed{s'.M(p) \geq \omega = \text{true.}}$$

By definition of  $t \in \text{Sens}(s'.M)$ ,

- CASE  $\text{pre}(p, t) = (\omega, \text{test})$ : same as above.

- CASE  $\text{pre}(p, t) = (\omega, \text{inhib})$ :

By construction,  $\langle \text{output\_arcs\_types}(j) \Rightarrow \text{inhib} \rangle \in ipm_p$  and  $\langle \text{output\_arcs\_weights}(j) \Rightarrow \omega \rangle \in ipm_p$ .

By property of the stabilize relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\sigma'(id_p)(\text{"oat"})[j] = \text{inhib}$  and  $\sigma'(id_p)(\text{"oaw"})[j] = \omega$ .

Rewriting the goal with  $\sigma'(id_p)(\text{"oat"})[j] = \text{inhib}$  and  $\sigma'(id_p)(\text{"oaw"})[j] = \omega$ , and simplifying the goal:

$$\boxed{\sigma'(id_p)(\text{"sm"}) < \omega = \text{true.}}$$

Appealing to Lemma 24, we can deduce  $s'.M(p) = \sigma'(id_p)(\text{"sm"})$ .

Rewriting the goal with  $s'.M(p) = \sigma'(id_p)(\text{"sm"})$ :

$$\boxed{s'.M(p) < \omega = \text{true.}}$$

By definition of  $t \in \text{Sens}(s'.M)$ ,

2. Assuming that  $\sigma'(id_t)(\text{"s\_enabled"}) = \text{true}$ , let us show  $t \in \text{Sens}(s'.M)$ .

By definition of  $t \in \text{Sens}(s'.M)$ , let us show

$$\boxed{\forall p \in P, \omega \in \mathbb{N}^*, (\text{pre}(p, t) = (\omega, \text{basic}) \vee \text{pre}(p, t) = (\omega, \text{test})) \Rightarrow s'.M(p) \geq \omega \wedge (\text{pre}(p, t) = (\omega, \text{inhib}) \Rightarrow s'.M(p) < \omega)}$$

Given a  $p \in P$  and an  $\omega \in \mathbb{N}^*$ , let us show

$$\boxed{\text{pre}(p, t) = (\omega, \text{basic}) \vee \text{pre}(p, t) = (\omega, \text{test}) \Rightarrow s'.M(p) \geq \omega \text{ and}}$$

$$\boxed{\text{pre}(p, t) = (\omega, \text{inhib}) \Rightarrow s'.M(p) < \omega.}$$

- Assuming  $\text{pre}(p, t) = (\omega, \text{basic}) \vee \text{pre}(p, t) = (\omega, \text{test})$ , let us show  $s'.M(p) \geq \omega$ .

The proceeding is the same for  $\text{pre}(p, t) = (\omega, \text{basic})$  and  $\text{pre}(p, t) = (\omega, \text{test})$ . Therefore, we will only cover the case where  $\text{pre}(p, t) = (\omega, \text{basic})$ .

By property of the stabilize relation and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , equation (A.17) holds.

Rewriting  $\sigma'(id_t)(\text{"se"}) = \text{true}$  with (A.17), we can deduce:

$$\prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"iav"})[i] = \text{true.}$$

Then, we can deduce that  $\forall i \in [0, \Delta(id_t)(\text{"ian"}) - 1], \sigma'(id_t)(\text{"iav"})[i] = \text{true}$ .

By construction, there exist an  $id_p \in Comps(\Delta)$ ,  $gm_p, ipm_p, opm_p$ ,  $i \in [0, |input(t)| - 1]$ ,  $j \in [0, |output(p)| - 1]$  and  $id_{ji} \in Sigs(\Delta)$  s.t.  $\gamma(p) = id_p$  and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$  and  $\langle \text{output\_arcs\_valid}(j) \Rightarrow id_{ji} \rangle \in opm_p$  and  $\langle \text{input\_arcs\_valid}(i) \Rightarrow id_{ji} \rangle \in ipm_t$ . Let us take such an  $id_p \in Comps(\Delta)$ ,  $gm_p, ipm_p, opm_p$ ,  $i \in [0, |input(t)| - 1]$ ,  $j \in [0, |output(p)| - 1]$  and  $id_{ji} \in Sigs(\Delta)$ .

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow |input(t)| \rangle \in gm_t$ .

By property of the elaboration relation and  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , we can deduce  $\Delta(id_t)(\text{"ian"}) = |input(t)|$ .

Thanks to  $\Delta(id_t)(\text{"ian"}) = |input(t)|$ , we can deduce that  $\forall i \in [0, |input(t)| - 1]$ ,  $\sigma'(id_t)(\text{"iav"})[i] = \text{true}$ .

Having such an  $i \in [0, |input(t)| - 1]$ , we can deduce that  $\sigma'(id_t)(\text{"iav"})[i] = \text{true}$ .

By property of the stabilize relation,  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$  and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\sigma'(id_t)(\text{"iav"})[i] = \sigma'(id_{ji}) = \sigma'(id_p)(\text{"oav"})[j]$ .

Thanks to  $\sigma'(id_t)(\text{"iav"})[i] = \sigma'(id_{ji}) = \sigma'(id_p)(\text{"oav"})[j]$ , we can deduce that  $\sigma'(id_p)(\text{"oav"})[j] = \text{true}$ .

By property of the stabilize relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , equation (A.18) holds. Thanks to (A.18), we can deduce that:

$$\begin{aligned} \text{true} = & ((\sigma'(id_p)(\text{"oat"})[j] = \text{basic} + \sigma'(id_p)(\text{"oat"})[j] = \text{test}) \\ & \cdot \sigma'(id_p)(\text{"sm"}) \geq \sigma'(id_p)(\text{"oaw"})[j]) \\ & + (\sigma'(id_p)(\text{"oat"})[j] = \text{inhib} \cdot \sigma'(id_p)(\text{"sm"}) < \sigma'(id_p)(\text{"oaw"})[j]) \end{aligned} \quad (\text{A.19})$$

By construction,  $\langle \text{output\_arcs\_types}(j) \Rightarrow \text{basic} \rangle \in ipm_p$  and  $\langle \text{output\_arcs\_weights}(j) \Rightarrow \omega \rangle \in ipm_p$ .

By property of the stabilize relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\sigma'(id_p)(\text{"oat"})[j] = \text{basic}$  and  $\sigma'(id_p)(\text{"oaw"})[j] = \omega$ .

Thanks to  $\sigma'(id_p)(\text{"oat"})[j] = \text{basic}$ ,  $\sigma'(id_p)(\text{"oaw"})[j] = \omega$ , and simplifying Equation (A.19), we can deduce  $\sigma'(id_p)(\text{"sm"}) \geq \omega = \text{true}$ .

Appealing to Lemma 24,  $s'.M(p) \geq \omega$ .

(b) Assuming  $pre(p, t) = (\omega, \text{inhib})$ , let us show  $s'.M(p) < \omega$ .

The proceeding is the same as in the preceding case. Here, we will start the proof where the two cases are diverging, i.e:

By construction,  $\langle \text{output\_arcs\_types}(j) \Rightarrow \text{inhib} \rangle \in ipm_p$  and  $\langle \text{output\_arcs\_weights}(j) \Rightarrow \omega \rangle \in ipm_p$ .

By property of the stabilize relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\sigma'(id_p)(\text{"oat"})[j] = \text{inhib}$  and  $\sigma'(id_p)(\text{"oaw"})[j] = \omega$ .

Thanks to  $\sigma'(id_p)(\text{"oat"})[j] = \text{inhib}$  and  $\sigma'(id_p)(\text{"oaw"})[j] = \omega$ , and simplifying Equation (A.19), we can deduce  $\sigma'(id_p)(\text{"sm"}) < \omega = \text{true}$ .

Appealing to Lemma 24,  $s'.M(p) < \omega$ .

□

**Lemma 31** (Rising edge equal not sensitized). For all  $sitpn, d, \gamma, E_c, E_p, \tau, \Delta, \sigma_e, s, s', \sigma, \sigma_i, \sigma_\uparrow, \sigma'$  that verify the hypotheses of Def. 32, then

$$\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t, t \notin Sens(s'.M) \Leftrightarrow \sigma'(id_t)(\text{"s\_enabled"}) = \text{false}.$$

*Proof.* Proving the above lemma is trivial by appealing to Lemma 30 and by reasoning on contrapositives.  $\square$

## A.4 Falling Edge

### A.4.1 Falling Edge and marking

**Lemma 32** (Falling edge equal marking). For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Definition 23, then  $\forall p \in P, id_p \in Comps(\Delta)$  s.t.  $\gamma(p) = id_p, s'.M(p) = \sigma'(id_p)(\text{"s_marking"})$ .

*Proof.* Given a  $p \in P$  and an  $id \in Comps(\Delta)$  s.t.  $\gamma(p) = id_p$ , let us show

$$s'.M(p) = \sigma'(id_p)(\text{"s_marking"}).$$

By definition of  $E_c, \tau \vdash sitpn, s \xrightarrow{\downarrow} s'$ , we can deduce  $s.M(p) = s'.M(p)$ .

By property of the  $\text{Inject}_\downarrow$  relation, the  $\mathcal{H}$ -VHDL falling edge relation, the stabilize relation and  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the marking process defined in the place design architecture, we can deduce  $\sigma'(id_p)(\text{"s_marking"}) = \sigma(id_p)(\text{"s_marking"})$ .

Rewriting the goal with  $s.M(p) = s'.M(p)$  and  $\sigma'(id_p)(\text{"sm"}) = \sigma(id_p)(\text{"sm"})$ :  $s.M(p) = \sigma(id_p)(\text{"s_marking"}).$

$$\text{By definition of } \gamma, E_c, \tau \vdash s \approx \sigma: s.M(p) = \sigma(id_p)(\text{"s_marking"}).$$

$\square$

**Lemma 33** (Falling Edge Equal Output Token Sum). For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Definition 23, then  $\forall p, id_p$  s.t.  $\gamma(p) = id_p, \sum_{t \in Fired(s')} pre(p, t) = \sigma'(id_p)(\text{"s_output_token_sum"})$ .

*Proof.* Given a  $p \in P$  and an  $id_p \in Comps(\Delta)$ , let us show

$$\sum_{t \in Fired(s')} pre(p, t) = \sigma'(id_p)(\text{"s_output_token_sum"}).$$

By construction and by definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ .

By property of the stabilize relation,  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the output\_tokens\_sum process defined in the place design architecture:

$$\sigma'(id_p)(\text{"sots"}) = \sum_{i=0}^{\Delta(id_p)(\text{"oan"})-1} \begin{cases} \sigma'(id_p)(\text{"oaw"})[i] \text{ if } (\sigma'(id_p)(\text{"otf"})[i] \\ \quad . \sigma'(id_p)(\text{"oat"})[i] = \text{basic}) \\ 0 \text{ otherwise} \end{cases} \quad (\text{A.20})$$

Rewriting the goal with (A.20):

$$\sum_{t \in Fired(s')} pre(p, t) = \sum_{i=0}^{\Delta(id_p)(\text{"oan"})-1} \begin{cases} \sigma'(id_p)(\text{"oaw"})[i] \text{ if } (\sigma'(id_p)(\text{"otf"})[i] \\ \quad . \sigma'(id_p)(\text{"oat"})[i] = \text{basic}) \\ 0 \text{ otherwise} \end{cases}$$

Let us unfold the definition of the left sum term:

$$\sum_{t \in Fired(s')} \begin{cases} \omega \text{ if } pre(p, t) = (\omega, \text{basic}) \\ 0 \text{ otherwise} \end{cases} =$$

$$\sum_{i=0}^{\Delta(id_p)(\text{"oan"})-1} \begin{cases} \sigma'(id_p)(\text{"oaw"})[i] \text{ if } (\sigma'(id_p)(\text{"otf"})[i] \\ \quad \cdot \sigma'(id_p)(\text{"oat"})[i] = \text{basic}) \\ 0 \text{ otherwise} \end{cases}$$

To ease the reading, let us define functions  $f \in Fired(s') \rightarrow \mathbb{N}$  and  $g \in [0, |output(p)| - 1] \rightarrow \mathbb{N}$  s.t.

$$f(t) = \begin{cases} \omega \text{ if } pre(p, t) = (\omega, \text{basic}) \\ 0 \text{ otherwise} \end{cases} \quad \text{and } g(i) = \begin{cases} \sigma'(id_p)(\text{"oaw"})[i] \text{ if } (\sigma'(id_p)(\text{"otf"})[i] \\ \quad \cdot \sigma'(id_p)(\text{"oat"})[i] = \text{basic}) \\ 0 \text{ otherwise} \end{cases}$$

Then, the goal is:  $\sum_{t \in Fired(s')} f(t) = \sum_{i=0}^{\Delta(id_p)(\text{"oan"})-1} g(i)$

Let us perform case analysis on  $output(p)$ ; there are two cases:

- **CASE**  $output(p) = \emptyset$ :

By construction,  $\langle output\_arcs\_number \Rightarrow 1 \rangle \in gm_p$ ,  $\langle output\_arcs\_types(0) \Rightarrow \text{basic} \rangle \in ipm_p$ ,  $\langle output\_transitions\_fired(0) \Rightarrow \text{true} \rangle \in ipm_p$ , and  $\langle output\_arcs\_weights(0) \Rightarrow 0 \rangle \in ipm_p$ .

By property of the elaboration relation and  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\Delta(id_p)(\text{"oan"}) = 1$ .

By property of the stabilize relation and  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\sigma'(id_p)(\text{"oat"})[0] = \text{basic}$ ,  $\sigma'(id_p)(\text{"otf"})[0] = \text{true}$  and  $\sigma'(id_p)(\text{"oaw"})[0] = 0$ .

By property of  $output(p) = \emptyset$ , we can deduce

$$\sum_{t \in Fired(s')} \begin{cases} \omega \text{ if } pre(p, t) = (\omega, \text{basic}) \\ 0 \text{ otherwise} \end{cases} = 0$$

Rewriting the goal with  $\Delta(id_p)(\text{"oan"}) = 1$ ,  $\sigma'(id_p)(\text{"oat"})[0] = \text{basic}$ ,  $\sigma'(id_p)(\text{"otf"})[0] = \text{true}$ ,  $\sigma'(id_p)(\text{"oaw"})[0] = 0$  and  $\sum_{t \in Fired(s')} \begin{cases} \omega \text{ if } pre(p, t) = (\omega, \text{basic}) \\ 0 \text{ otherwise} \end{cases} = 0$ , **tautology**.

- **CASE**  $output(p) \neq \emptyset$ :

By construction,  $\langle output\_arcs\_number \Rightarrow |output(p)| \rangle \in gm_p$ , and by property of the elaboration relation, we can deduce  $\Delta(id_p)(\text{"oan"}) = |output(p)|$ .

Rewriting the goal with  $\Delta(id_p)(\text{"oan"}) = |output(p)|$ :  $\sum_{t \in Fired(s')} f(t) = \sum_{i=0}^{|output(p)|-1} g(i)$ .

Let us reason by induction on the right sum term of the goal.

- **BASE CASE**:

In that case,  $0 > |\text{output}| - 1$  and  $\sum_{i=0}^{|\text{output}(p)|-1} g(i) = 0$ .

As  $0 > |\text{output}| - 1$ , then  $|\text{output}(p)| = 0$ , thus contradicting  $\text{output}(p) \neq \emptyset$ .

#### - INDUCTION CASE:

In that case,  $0 \leq |\text{output}(p)| - 1$ .

$$\forall F \subseteq \text{Fired}(s'), g(0) + \sum_{t \in F} f(t) = g(0) + \sum_{i=1}^{|\text{output}(p)|-1} g(i)$$

$$\sum_{t \in \text{Fired}(s')} f(t) = g(0) + \sum_{i=1}^{|\text{output}(p)|-1} g(i)$$

By definition of  $g$ :

$$g(0) = \begin{cases} \sigma'(\text{id}_p)(\text{"oaw"})[0] \text{ if } (\sigma'(\text{id}_p)(\text{"otf"})[0] \\ \quad \cdot \sigma'(\text{id}_p)(\text{"oat"})[0] = \text{basic}) \\ 0 \text{ otherwise} \end{cases} \quad (\text{A.21})$$

Let us perform case analysis on the value of  $\sigma'(\text{id}_p)(\text{"otf"})[0] \cdot \sigma'(\text{id}_p)(\text{"oat"})[0] = \text{basic}$ ; there are two cases:

- $(\sigma'(\text{id}_p)(\text{"otf"})[0] \cdot \sigma'(\text{id}_p)(\text{"oat"})[0] = \text{basic}) = \text{false}$ :

In that case,  $g(0) = 0$ , and then we can apply the induction hypothesis with  $F = \text{Fired}(s')$

to solve the goal:  $\sum_{t \in \text{Fired}(s')} f(t) = \sum_{i=1}^{|\text{output}(p)|-1} g(i).$

- $(\sigma'(\text{id}_p)(\text{"otf"})[0] \cdot \sigma'(\text{id}_p)(\text{"oat"})[0] = \text{basic}) = \text{true}$ :

In that case,  $g(0) = \sigma'(\text{id}_p)(\text{"oaw"})[0]$ ,  $\sigma'(\text{id}_p)(\text{"otf"})[0] = \text{true}$  and  $\sigma'(\text{id}_p)(\text{"oat"})[0] = \text{basic}$ .

By construction, there exist a  $t \in \text{output}(t)$ ,  $\text{id}_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = \text{id}_t$ , and there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(\text{id}_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , and there exist an  $\omega \in \mathbb{N}^*$ , an  $a \in \{\text{basic}, \text{test}, \text{inhib}\}$  and an  $\text{id}_{ft} \in \text{Sigs}(\Delta)$  such that:

- \*  $\text{pre}(p, t) = (\omega, a)$
- \*  $\langle \text{output\_arcs\_types}(0) \Rightarrow a \rangle \in ipm_p$
- \*  $\langle \text{output\_arcs\_weights}(0) \Rightarrow \omega \rangle \in ipm_p$
- \*  $\langle \text{fired} \Rightarrow \text{id}_{ft} \rangle \in opm_t$
- \*  $\langle \text{output\_transitions\_fired}(0) \Rightarrow \text{id}_{ft} \rangle \in ipm_p$

By property of the stabilize relation,  $\sigma'(\text{id}_p)(\text{"oat"})[0] = \text{basic}$  and  $\langle \text{output\_arcs\_types}(0) \Rightarrow a \rangle \in ipm_p$ , we can deduce  $\text{pre}(p, t) = (\omega, \text{basic})$ .

By property of the stabilize relation,  $\langle \text{fired} \Rightarrow \text{id}_{ft} \rangle \in opm_t$ ,

$\langle \text{output\_transitions\_fired}(0) \Rightarrow \text{id}_{ft} \rangle \in ipm_p$  and  $\sigma'(\text{id}_p)(\text{"otf"})[0] = \text{true}$ , we can deduce  $\sigma'(\text{id}_t)(\text{"fired"}) = \text{true}$ .

Appealing to Lemma 4, and thanks to  $\sigma'(\text{id}_t)(\text{"fired"}) = \text{true}$ , we can deduce  $t \in \text{Fired}(s')$ . With  $t \in \text{Fired}(s')$ , we can rewrite the left sum term of the goal as follows:

$$f(t) + \sum_{t' \in \text{Fired}(s') \setminus \{t\}} f(t') = g(0) + \sum_{i=1}^{|\text{output}(p)|-1} g(i)$$

We know that  $g(0) = \sigma'(id_p)(\text{"oaw"})[0]$ , and by property of the stabilize relation and  $\langle \text{output\_arcs\_weights}(0) \Rightarrow \omega \rangle \in ipm_p$ , we can deduce  $\sigma'(id_p)(\text{"oaw"})[0] = \omega$ .

Rewriting the goal with  $\sigma'(id_p)(\text{"oaw"})[0] = \omega$ :

$$f(t) + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = \omega + \sum_{i=1}^{|output(p)|-1} g(i)$$

By definition of  $f$ , and as  $pre(p, t) = (\omega, \text{basic})$ , then  $f(t) = \omega$ ; thus, rewriting the goal:

$$\omega + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = \omega + \sum_{i=1}^{|output(p)|-1} g(i)$$

Then, knowing that  $g(0) = \omega$ , we can apply the induction hypothesis with  $F = Fired(s') \setminus \{t\}$ :

$$g(0) + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = g(0) + \sum_{i=1}^{|output(p)|-1} g(i).$$

□

**Lemma 34** (Falling Edge Equal Input Token Sum). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Definition 23, then  $\forall p, id_p$  s.t.  $\gamma(p) = id_p$ ,  $\sum_{t \in Fired(s')} post(t, p) = \sigma'_p(\text{"s_input_token_sum"})$ .*

*Proof.* Given a  $p \in P$  and an  $id_p \in Comps(\Delta)$ , let us show

$$\sum_{t \in Fired(s')} post(t, p) = \sigma'(id_p)(\text{"s_input_token_sum"}).$$

By construction and by definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ .

By property of the stabilize relation,  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the `input_tokens_sum` process defined in the place design architecture:

$$\sigma'(id_p)(\text{"sits"}) = \sum_{i=0}^{\Delta(id_p)(\text{"ian"})-1} \begin{cases} \sigma'(id_p)(\text{"iaw"})[i] & \text{if } \sigma'(id_p)(\text{"itf"})[i] \\ 0 & \text{otherwise} \end{cases} \quad (\text{A.22})$$

Rewriting the goal with (A.22):

$$\sum_{t \in Fired(s')} post(t, p) = \sum_{i=0}^{\Delta(id_p)(\text{"ian"})-1} \begin{cases} \sigma'(id_p)(\text{"iaw"})[i] & \text{if } \sigma'(id_p)(\text{"otf"})[i] \\ 0 & \text{otherwise} \end{cases}$$

Let us unfold the definition of the left sum term:

$$\begin{aligned} \sum_{t \in Fired(s')} & \begin{cases} \omega & \text{if } post(t, p) = \omega \\ 0 & \text{otherwise} \end{cases} \\ &= \sum_{i=0}^{\Delta(id_p)(\text{"ian"})-1} \begin{cases} \sigma'(id_p)(\text{"iaw"})[i] & \text{if } \sigma'(id_p)(\text{"itf"})[i] \\ 0 & \text{otherwise} \end{cases} \end{aligned}$$

Let us perform case analysis on  $input(p)$ ; there are two cases:

- **CASE**  $\text{input}(p) = \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow 1 \rangle \in gm_p$ ,  $\langle \text{input\_transitions\_fired}(0) \Rightarrow \text{true} \rangle \in ipm_p$ , and  $\langle \text{input\_arcs\_weights}(0) \Rightarrow 0 \rangle \in opm_p$ .

By property of the elaboration relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\Delta(id_p)(\text{"ian"}) = 1$ .

By property of the stabilize relation and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\sigma'(id_p)(\text{"itf"})[0] = \text{true}$  and  $\sigma'(id_p)(\text{"iaw"})[0] = 0$ .

By property of  $\text{input}(p) = \emptyset$ , we can deduce  $\sum_{t \in Fired(s')} \begin{cases} \omega & \text{if } post(t, p) = \omega \\ 0 & \text{otherwise} \end{cases} = 0$ .

Rewriting the goal with  $\Delta(id_p)(\text{"ian"}) = 1$ ,  $\sigma'(id_p)(\text{"itf"})[0] = \text{true}$ ,  $\sigma'(id_p)(\text{"iaw"})[0] = 0$ , and

$\sum_{t \in Fired(s')} \begin{cases} \omega & \text{if } post(t, p) = \omega \\ 0 & \text{otherwise} \end{cases} = 0$ , and simplifying the goal: **tautology**.

- **CASE**  $\text{input}(p) \neq \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow |\text{input}(p)| \rangle \in gm_p$ , and by property of the elaboration relation, we can deduce  $\Delta(id_p)(\text{"ian"}) = |\text{input}(p)|$ .

To ease the reading, let us define functions  $f \in Fired(s') \rightarrow \mathbb{N}$  and  $g \in [0, |\text{input}(p)| - 1] \rightarrow \mathbb{N}$

$$\text{s.t. } f(t) = \begin{cases} \omega & \text{if } post(t, p) = \omega \\ 0 & \text{otherwise} \end{cases} \quad \text{and } g(i) = \begin{cases} \sigma'(id_p)(\text{"iaw"})[i] & \text{if } \sigma'(id_p)(\text{"itf"})[i] \\ 0 & \text{otherwise} \end{cases}$$

Then, the goal is: 
$$\boxed{\sum_{t \in Fired(s')} f(t) = \sum_{i=0}^{\Delta(id_p)(\text{"ian"})-1} g(i)}$$

Rewriting the goal with  $\Delta(id_p)(\text{"ian"}) = |\text{input}(p)|$ : 
$$\boxed{\sum_{t \in Fired(s')} f(t) = \sum_{i=0}^{|\text{input}(p)|-1} g(i)}.$$

Let us reason by induction on the right sum term of the goal.

– **BASE CASE:** In that case,  $0 > |\text{input}(p)| - 1$  and  $\sum_{i=0}^{|\text{input}(p)|-1} g(i) = 0$ .

As  $0 > |\text{input}(p)| - 1$ , then  $|\text{input}(p)| = 0$ , thus **contradicting  $\text{input}(p) \neq \emptyset$** .

– **INDUCTION CASE:** In that case,  $0 \leq |\text{input}(p)| - 1$ .

$$\forall F \subseteq Fired(s'), g(0) + \sum_{t \in F} f(t) = g(0) + \sum_{i=1}^{|\text{input}(p)|-1} g(i)$$

$$\boxed{\sum_{t \in Fired(s')} f(t) = g(0) + \sum_{i=1}^{|\text{input}(p)|-1} g(i)}$$

By definition of  $g$ , we can deduce  $g(0) = \begin{cases} \sigma'(id_p)(\text{"iaw"})[0] & \text{if } \sigma'(id_p)(\text{"itf"})[0] \\ 0 & \text{otherwise} \end{cases}$

Let us perform case analysis on the value of  $\sigma'(id_p)(\text{"itf"})[0]$ ; there are two cases:

1.  $\sigma'(id_p)(\text{"itf"})[0] = \text{false}$ :

In that case,  $g(0) = 0$ , and then we can apply the induction hypothesis with  $F = Fired(s')$

to solve the goal:  $\sum_{t \in Fired(s')} f(t) = \sum_{i=1}^{|input(p)|-1} g(i).$

2.  $\sigma'(id_p)(\text{"itf"})[0] = \text{true}$ :

In that case,  $g(0) = \sigma'(id_p)(\text{"iaw"})[0]$  and  $\sigma'(id_p)(\text{"itf"})[0] = \text{true}$ .

By construction, there exist a  $t \in input(t)$ , an  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ ,  $gm_t$ ,  $ipm_t$ ,  $opm_t$  s.t.  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm) \in d.cs$ , an  $\omega \in \mathbb{N}^*$  and an  $id_{ft} \in Sigs(\Delta)$  such that:

- \*  $post(t, p) = \omega$
- \*  $\langle \text{input\_arcs\_weights}(0) \Rightarrow \omega \rangle \in ipm_p$
- \*  $\langle \text{fired} \Rightarrow id_{ft} \rangle \in opm_t$
- \*  $\langle \text{input\_transitions\_fired}(0) \Rightarrow id_{ft} \rangle \in ipm_p$

By property of the stabilize relation,  $\langle \text{fired} \Rightarrow id_{ft} \rangle \in opm_t$ ,  $\langle \text{input\_transitions\_fired}(0) \Rightarrow id_{ft} \rangle \in ipm_p$  and  $\sigma'(id_p)(\text{"itf"})[0] = \text{true}$ , we can deduce  $\sigma'(id_t)(\text{"fired"}) = \text{true}$ .

Appealing to Lemma 4 and  $\sigma'(id_t)(\text{"fired"}) = \text{true}$ , we can deduce  $t \in Fired(s')$ . As  $t \in Fired(s')$ , we can rewrite the left sum term of the goal as follows:

$$f(t) + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = g(0) + \sum_{i=1}^{|input(p)|-1} g(i)$$

We know that  $g(0) = \sigma'(id_p)(\text{"iaw"})[0]$ , and by property of the stabilize relation and  $\langle \text{input\_arcs\_weights}(0) \Rightarrow \omega \rangle \in ipm_p$ , we can deduce  $\sigma'(id_p)(\text{"iaw"})[0] = \omega$ .

Rewriting the goal with  $\sigma'(id_p)(\text{"iaw"})[0] = \omega$ :

$$f(t) + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = \omega + \sum_{i=1}^{|input(p)|-1} g(i)$$

By definition of  $f$ , and as  $post(t, p) = \omega$ , then  $f(t) = \omega$ ; thus, rewriting the goal:

$$\omega + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = \omega + \sum_{i=1}^{|input(p)|-1} g(i)$$

Then, knowing that  $g(0) = \omega$ , we can apply the induction hypothesis with  $F = Fired(s') \setminus \{t\}$ :

$$\{t\}: g(0) + \sum_{t' \in Fired(s') \setminus \{t\}} f(t') = g(0) + \sum_{i=1}^{|input(p)|-1} g(i).$$

□

#### A.4.2 Falling edge and time counters

**Lemma 35** (Falling edge equal time counters). *For all  $sitpn$ ,  $d$ ,  $\gamma$ ,  $\Delta$ ,  $\sigma_e$ ,  $E_c$ ,  $E_p$ ,  $\tau$ ,  $s$ ,  $s'$ ,  $\sigma$ ,  $\sigma_i$ ,  $\sigma_\downarrow$ ,  $\sigma'$  that verify the hypotheses of Definition 23, then  $\forall t \in T_i, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ ,  $(upper(I_s(t)) = \infty \wedge s'.I(t) \leq lower(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"})$   $\wedge (upper(I_s(t)) = \infty \wedge s'.I(t) > lower(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s\_time\_counter"}) = lower(I_s(t)))$   $\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) > upper(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s\_time\_counter"}) = upper(I_s(t)))$   $\wedge (upper(I_s(t)) \neq \infty \wedge s'.I(t) \leq upper(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"}))$ .*

*Proof.* Given a  $t \in T_i$  and an  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show

$$\begin{aligned} & (\text{upper}(I_s(t)) = \infty \wedge s'.I(t) \leq \text{lower}(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"})) \\ & \wedge (\text{upper}(I_s(t)) = \infty \wedge s'.I(t) > \text{lower}(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s\_time\_counter"}) = \text{lower}(I_s(t))) \\ & \wedge (\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) > \text{upper}(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s\_time\_counter"}) = \text{upper}(I_s(t))) \\ & \wedge (\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) \leq \text{upper}(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"})) \end{aligned}$$

By construction and by definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the elaboration,  $\text{Inject}_{\downarrow}, \mathcal{H}\text{-VHDL}$  rising edge and stabilize relations,  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the time\_counter process defined in the transition design architecture, we can deduce:

$$\begin{aligned} \sigma(id_t)(\text{"se"}) &= \text{true} \wedge \Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMPORAL} \wedge \sigma(id_t)(\text{"srtc"}) = \text{false} \\ &\wedge \sigma(id_t)(\text{"stc"}) < \Delta(id_t)(\text{"mtc"}) \Rightarrow \sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"}) + 1 \end{aligned} \quad (\text{A.23})$$

$$\begin{aligned} \sigma(id_t)(\text{"se"}) &= \text{true} \wedge \Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMPORAL} \wedge \sigma(id_t)(\text{"srtc"}) = \text{false} \\ &\wedge \sigma(id_t)(\text{"stc"}) \geq \Delta(id_t)(\text{"mtc"}) \Rightarrow \sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"}) \end{aligned} \quad (\text{A.24})$$

$$\begin{aligned} \sigma(id_t)(\text{"se"}) &= \text{true} \wedge \Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMPORAL} \\ &\wedge \sigma(id_t)(\text{"srtc"}) = \text{true} \Rightarrow \sigma'(id_t)(\text{"stc"}) = 1 \end{aligned} \quad (\text{A.25})$$

$$\sigma(id_t)(\text{"se"}) = \text{false} \vee \Delta(id_t)(\text{"tt"}) = \text{NOT\_TEMPORAL} \Rightarrow \sigma'(id_t)(\text{"stc"}) = 0 \quad (\text{A.26})$$

Then, there are 4 points to show:

$$1. \boxed{\text{upper}(I_s(t)) = \infty \wedge s'.I(t) \leq \text{lower}(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"})}$$

Assuming  $\text{upper}(I_s(t)) = \infty$  and  $s'.I(t) \leq \text{lower}(I_s(t))$ , let us show

$$\boxed{s'.I(t) = \sigma'(id_t)(\text{"s\_time\_counter"}).}$$

Let us perform case analysis on  $t \in Sens(s.M)$ ; there are two cases:

(a) **CASE**  $t \notin Sens(s.M)$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ , we can deduce  $\sigma(id_t)(\text{"se"}) = \text{false}$ .

Appealing to (A.26) and  $\sigma(id_t)(\text{"se"}) = \text{false}$ , we can deduce  $\sigma'(id_t)(\text{"stc"}) = 0$ .

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$  (Rule (3)), we can deduce  $s'.I(t) = 0$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"stc"}) = 0$  and  $s'.I(t) = 0$ : tautology.

(b) **CASE**  $t \in Sens(s.M)$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ , we can deduce  $\sigma(id_t)(\text{"se"}) = \text{true}$ .

By construction, and as  $\text{upper}(I_s(t)) = \infty, \langle \text{transition\_type} \Rightarrow \text{TEMP\_A\_INF} \rangle \in gm_t$ . By property of the elaboration relation, we have  $\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_INF}$ .

Let us perform case analysis on  $s.reset_t(t)$ ; there are two cases:

i. **CASE**  $s.reset_t(t) = \text{true}$ :

By definition of  $\gamma, E_c, \tau \vdash s \overset{\uparrow}{\approx} \sigma, \sigma(id_t)(\text{"srtc"}) = \text{true}$ .

Appealing to (A.25),  $\sigma(id_t)(\text{"se"}) = \text{true}$ ,  $\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_INF}$  and  $\sigma(id_t)(\text{"srtc"}) = \text{true}$ , we can deduce  $\sigma'(id_t)(\text{"stc"}) = 1$ .

By definition of  $E_c, \tau \vdash s \overset{\downarrow}{\rightarrow} s'(\text{Rule (3)})$ , we can deduce  $s'.I(t) = 1$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"stc"}) = 1$  and  $s'.I(t) = 1$ : tautology.

ii. **CASE**  $s.reset_t(t) = \text{false}$ :

By definition of  $\gamma, E_c, \tau \vdash s \overset{\uparrow}{\approx} \sigma$ , we have  $\sigma(id_t)(\text{"srtc"}) = \text{false}$ .

As  $\text{upper}(I_s(t)) = \infty$ , there exists an  $a \in \mathbb{N}^*$  s.t.  $I_s(t) = [a, \infty]$ . Let us take such an  $a \in \mathbb{N}^*$ . By construction,  $\langle \text{maximal\_time\_counter} \Rightarrow a \rangle \in gm_t$ , and by property of the elaboration relation, we have  $\Delta(id_t)(\text{"mtc"}) = a$ .

By definition of  $E_c, \tau \vdash s \overset{\downarrow}{\rightarrow} s'(\text{Rule (4)})$ , and knowing that  $t \in Sens(s.M)$ ,  $s.reset_t(t) = \text{false}$  and  $\text{upper}(I_s(t)) = \infty$ , we can deduce  $s'.I(t) = s.I(t) + 1$ .

Rewriting the goal with  $s'.I(t) = s.I(t) + 1$ :  $[s.I(t) + 1 = \sigma'(id_t)(\text{"stc"})]$ .

We assumed that  $s'.I(t) \leq \text{lower}(I_s(t))$ , and as  $s'.I(t) = s.I(t) + 1$ , then  $s.I(t) + 1 \leq \text{lower}(I_s(t))$ , then  $s.I(t) < \text{lower}(I_s(t))$ , then  $s.I(t) < a$  since  $a = \text{lower}(I_s(t))$ .

By definition of  $\gamma, E_c, \tau \vdash s \overset{\uparrow}{\approx} \sigma$ , and knowing that  $s.I(t) < \text{lower}(I_s(t))$  and  $\text{upper}(I_s(t)) = \infty$ , we can deduce  $s.I(t) = \sigma(id_t)(\text{"stc"})$ .

Appealing to  $\Delta(id_t)(\text{"mtc"}) = a$ ,  $s.I(t) = \sigma(id_t)(\text{"stc"})$  and  $s.I(t) < a$ , we can deduce  $\sigma(id_t)(\text{"stc"}) < \Delta(id_t)(\text{"mtc"})$ .

Appealing to (A.23),  $\sigma(id_t)(\text{"stc"}) < \Delta(id_t)(\text{"mtc"})$ ,  $\sigma(id_t)(\text{"srtc"}) = \text{false}$  and  $\sigma(id_t)(\text{"se"}) = \text{true}$ , we can deduce:  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"}) + 1$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"}) + 1$  and  $s.I(t) = \sigma(id_t)(\text{"stc"})$ : tautology.

$$2. \boxed{\text{upper}(I_s(t)) = \infty \wedge s'.I(t) > \text{lower}(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = \text{lower}(I_s(t))}$$

Assuming that  $\text{upper}(I_s(t)) = \infty$  and  $s'.I(t) > \text{lower}(I_s(t))$ , let us show

$$\boxed{\sigma'(id_t)(\text{"s_time_counter"}) = \text{lower}(I_s(t))}$$

As  $\text{upper}(I_s(t)) = \infty$ , there exists an  $a \in \mathbb{N}^*$  s.t.  $I_s(t) = [a, \infty]$ . Let us take such an  $a \in \mathbb{N}^*$ .

By construction,  $\langle \text{maximal\_time\_counter} \Rightarrow a \rangle \in gm_t$ , and  $\langle \text{transition\_type} \Rightarrow \text{TEMP\_A\_INF} \rangle \in gm_t$  by property of the elaboration relation, we can deduce  $\Delta(id_t)(\text{"mtc"}) = a$  and  $\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_INF}$ .

Let us perform case analysis on  $t \in Sens(s.M)$ :

(a) **CASE**  $t \notin Sens(s.M)$ :

By definition of  $E_c, \tau \vdash s \overset{\downarrow}{\rightarrow} s'$  (Rule (6)), and knowing that  $t \in Sens(s.M)$ , we can deduce  $s'.I(t) = 0$ . Since  $\text{lower}(I_s(t)) \in \mathbb{N}^*$ , then  $\text{lower}(I_s(t)) > 0$ .

Contradicts  $s'.I(t) > \text{lower}(I_s(t))$ .

(b) **CASE**  $t \in Sens(s.M)$ :

By definition of  $\gamma, E_c, \tau \vdash s \overset{\uparrow}{\approx} \sigma$  and  $t \in Sens(s.M)$ , we can deduce  $\sigma(id_t)(\text{"se"}) = \text{true}$ .

Let us perform case analysis on  $s.reset_t(t)$ ; there are two cases:

i. **CASE**  $s.reset_t(t) = \text{true}$ :

By definition of  $E_c$ ,  $\tau \vdash s \xrightarrow{\downarrow} s'$ :  $s'.I(t) = 1$ .

We assumed that  $s'.I(t) > lower(I_s(t))$ , then  $1 > lower(I_s(t))$ .

Contradicts  $lower(I_s(t)) > 0$ .

ii. **CASE**  $s.reset_t(t) = \text{false}$ :

By property of  $\gamma, E_c, \tau \vdash s \approx \sigma$  and  $s.reset_t(t) = \text{false}$ , we can deduce  $\sigma(id_t)(\text{"srtc"}) = \text{false}$ .

By definition of  $E_c$ ,  $\tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (4)), and knowing that  $s'.I(t) > lower(I_s(t))$ , we can deduce

$$\begin{aligned} s'.I(t) &= s.I(t) + 1 \Rightarrow s.I(t) + 1 > lower(I_s(t)) \\ &\Rightarrow s.I(t) \geq lower(I_s(t)) \end{aligned}$$

Let us perform case analysis on  $s.I(t) \geq lower(I_s(t))$ :

A. **CASE**  $s.I(t) > lower(I_s(t))$ :  $\boxed{\sigma'(id_t)(\text{"stc"}) = lower(I_s(t))}$

By definition of  $\gamma, E_c, \tau \vdash s \approx \sigma$ , we can deduce  $\sigma(id_t)(\text{"stc"}) = lower(I_s(t))$ .

Appealing to (A.24), we can deduce  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"})$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"})$  and  $\sigma(id_t)(\text{"stc"}) = lower(I_s(t))$ : tautology.

B. **CASE**  $s.I(t) = lower(I_s(t))$ :  $\boxed{\sigma'(id_t)(\text{"stc"}) = lower(I_s(t))}$

By definition of  $\gamma, E_c, \tau \vdash s \approx \sigma$ , we can deduce  $s.I(t) = \sigma(id_t)(\text{"stc"})$ .

Appealing to (A.24), we can deduce  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"})$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"})$ ,  $s.I(t) = \sigma(id_t)(\text{"stc"})$  and  $s.I(t) = lower(I_s(t))$ : tautology.

3.  $\boxed{upper(I_s(t)) \neq \infty \wedge s'.I(t) > upper(I_s(t)) \Rightarrow \sigma'(id_t)(\text{"s_time_counter"}) = upper(I_s(t))}$

Assuming that  $upper(I_s(t)) \neq \infty$  and  $s'.I(t) > upper(I_s(t))$ , let us show

$\boxed{\sigma'(id_t)(\text{"s_time_counter"}) = upper(I_s(t))}$

As  $upper(I_s(t)) \neq \infty$ , there exists an  $a \in \mathbb{N}^*$ , and a  $b \in \mathbb{N}^*$  s.t.  $I_s(t) = [a, b]$ . Let us take such an  $a$  and  $b$ .

By construction,  $\langle \text{maximal\_time\_counter} \Rightarrow b \rangle \in gm_t$  and there exists  $tt \in \{\text{TEMP\_A\_A}, \text{TEMP\_A\_B}\}$  s.t.  $\langle \text{transition\_type} \Rightarrow tt \rangle \in gm_t$ .

By property of the elaboration relation and  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , we can deduce  $\Delta(id_t)(\text{"mtc"}) = b = upper(I_s(t))$  and  $\Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP}$ .

Let us perform case analysis on  $t \in Sens(s.M)$ :

(a) **CASE**  $t \notin Sens(s.M)$ :

By definition of  $E_c$ ,  $\tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (6)), and knowing that  $t \in Sens(s.M)$ , then  $s'.I(t) = 0$ . Since  $upper(I_s(t)) \in \mathbb{N}^*$ , then  $upper(I_s(t)) > 0$ .

Contradicts  $s'.I(t) > upper(I_s(t))$ .

(b) **CASE**  $t \in \text{Sens}(s.M)$ :

By definition of  $\gamma, E_c, \tau \vdash s \overset{\uparrow}{\approx} \sigma$  and  $t \in \text{Sens}(s.M)$ , we can deduce  $\sigma(id_t)(\text{"se"}) = \text{true}$ .

Let us perform case analysis on  $s.\text{reset}_t(t)$ ; there are two cases:

i. **CASE**  $s.\text{reset}_t(t) = \text{true}$ :

By definition of  $E_c, \tau \vdash s \overset{\downarrow}{\rightarrow} s'$  (Rule (3)), we can deduce  $s'.I(t) = 1$ .

We assumed that  $s'.I(t) > \text{upper}(I_s(t))$ , then we can deduce  $1 > \text{upper}(I_s(t))$ .

Contradicts  $\text{upper}(I_s(t)) > 0$ .

ii. **CASE**  $s.\text{reset}_t(t) = \text{false}$ :

By property of  $\gamma, E_c, \tau \vdash s \overset{\uparrow}{\approx} \sigma$  and  $s.\text{reset}_t(t) = \text{false}$ , we can deduce  $\sigma(id_t)(\text{"src"}) = \text{false}$ .

Let us perform case analysis on  $s.I(t) > \text{upper}(I_s(t))$  or  $s.I(t) \leq \text{upper}(I_s(t))$ :

A. **CASE**  $s.I(t) > \text{upper}(I_s(t))$ :  $\boxed{\sigma'(id_t)(\text{"stc"}) = \text{upper}(I_s(t))}$

By definition of  $E_c, \tau \vdash s \overset{\downarrow}{\rightarrow} s'$  (Rule (5)), we can deduce  $s'.I(t) = s.I(t)$ .

By definition of  $\gamma, E_c, \tau \vdash s \overset{\uparrow}{\approx} \sigma$ , we can deduce  $\sigma(id_t)(\text{"stc"}) = \text{upper}(I_s(t))$ .

Appealing to (A.24), we have  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"})$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"})$  and  $\sigma(id_t)(\text{"stc"}) = \text{upper}(I_s(t))$ : tautology.

B. **CASE**  $s.I(t) \leq \text{upper}(I_s(t))$ :  $\boxed{\sigma'(id_t)(\text{"stc"}) = \text{upper}(I_s(t))}$

By definition of  $\gamma, E_c, \tau \vdash s \overset{\uparrow}{\approx} \sigma$ , we can deduce  $s.I(t) = \sigma(id_t)(\text{"stc"})$ .

Let us perform case analysis on  $s.I(t) \leq \text{upper}(I_s(t))$ ; there are two cases:

- **CASE**  $s.I(t) = \text{upper}(I_s(t))$ :

Appealing to  $\Delta(id_t)(\text{"mtc"}) = b = \text{upper}(I_s(t))$ ,  $s.I(t) = \sigma(id_t)(\text{"stc"})$  and  $s.I(t) = \text{upper}(I_s(t))$ , we can deduce  $\Delta(id_t)(\text{"mtc"}) \leq \sigma(id_t)(\text{"stc"})$ .

Appealing to  $\Delta(id_t)(\text{"mtc"}) \leq \sigma(id_t)(\text{"stc"})$  and (A.24), we can deduce  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"})$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"})$ ,  $s.I(t) = \sigma(id_t)(\text{"stc"})$  and  $s.I(t) = \text{upper}(I_s(t))$ : tautology.

- **CASE**  $s.I(t) < \text{upper}(I_s(t))$ :

By definition of  $E_c, \tau \vdash s \overset{\downarrow}{\rightarrow} s'$  (Rule (4)), we can deduce  $s'.I(t) = s.I(t) + 1$ .

From  $s'.I(t) = s.I(t) + 1$  and  $s.I(t) < \text{upper}(I_s(t))$ , we can deduce  $s'.I(t) \leq \text{upper}(I_s(t))$ ; contradicts  $s'.I(t) > \text{upper}(I_s(t))$ .

4.  $\boxed{\text{upper}(I_s(t)) \neq \infty \wedge s'.I(t) \leq \text{upper}(I_s(t)) \Rightarrow s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"})}$ .

Assuming that  $\text{upper}(I_s(t)) \neq \infty$  and  $s'.I(t) \leq \text{upper}(I_s(t))$ , let us show

$\boxed{s'.I(t) = \sigma'(id_t)(\text{"s_time_counter"})}$ .

As  $\text{upper}(I_s(t)) \neq \infty$ , there exists an  $a \in \mathbb{N}^*$ , and a  $b \in \mathbb{N}^*$  s.t.  $I_s(t) = [a, b]$ . Let us take such an  $a$  and  $b$ .

By construction,  $\langle \text{maximal\_time\_counter} \Rightarrow b \rangle \in gm_t$  and there exists  $tt \in \{\text{TEMP\_A\_A}, \text{TEMP\_A\_B}\}$  s.t.  $\langle \text{transition\_type} \Rightarrow tt \rangle \in gm_t$ ; by property of the elaboration relation, we can deduce  $\Delta(id_t)(\text{"mtc"}) = b = \text{upper}(I_s(t))$  and  $\Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP}$ .

Let us perform case analysis on  $t \in \text{Sens}(s.M)$ :

(a) **CASE**  $t \notin \text{Sens}(s.M)$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ , we have  $\sigma(id_t)(\text{"se"}) = \text{false}$ .

Appealing (A.26) and  $\sigma(id_t)(\text{"se"}) = \text{false}$ , we have  $\sigma'(id_t)(\text{"stc"}) = 0$ .

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$  (Rule (6)), we have  $s'.I(t) = 0$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"stc"}) = 0$  and  $s'.I(t) = 0$ : tautology.

(b) **CASE**  $t \in \text{Sens}(s.M)$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ , we have  $\sigma(id_t)(\text{"se"}) = \text{true}$ .

Let us perform case analysis on  $s.\text{reset}_t(t)$ :

i. **CASE**  $s.\text{reset}_t(t) = \text{true}$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ , we have  $\sigma(id_t)(\text{"srtc"}) = \text{true}$ .

Appealing to (A.25),  $\Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP}$ ,  $\sigma(id_t)(\text{"se"}) = \text{true}$  and  $\sigma(id_t)(\text{"srtc"}) = \text{true}$ , we have  $\sigma'(id_t)(\text{"stc"}) = 1$ .

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$  (Rule (3)), we have  $s'.I(t) = 1$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"stc"}) = 1$  and  $s'.I(t) = 1$ , tautology.

ii. **CASE**  $s.\text{reset}_t(t) = \text{false}$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ , we have  $\sigma(id_t)(\text{"srtc"}) = \text{false}$ .

Let us perform case analysis on  $s.I(t) > \text{upper}(I_s(t))$  or  $s.I(t) \leq \text{upper}(I_s(t))$ :

A. **CASE**  $s.I(t) > \text{upper}(I_s(t))$ :

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$ , we have  $s.I(t) = s'.I(t)$ , and thus,  $s'.I(t) > \text{upper}(I_s(t))$ .

Contradicts  $s'.I(t) \leq \text{upper}(I_s(t))$ .

B. **CASE**  $s.I(t) \leq \text{upper}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ , we have  $s.I(t) = \sigma(id_t)(\text{"stc"})$ .

- **CASE**  $s.I(t) < \text{upper}(I_s(t))$ :

From  $s.I(t) < \text{upper}(I_s(t))$ ,  $s.I(t) = \sigma(id_t)(\text{"stc"})$  and  $\Delta(id_t)(\text{"mtc"}) = b = \text{upper}(I_s(t))$ , we can deduce  $\sigma(id_t)(\text{"stc"}) < \Delta(id_t)(\text{"mtc"})$ .

From (A.23),  $\sigma(id_t)(\text{"se"}) = \text{true}$ ,  $\Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP}$ ,  $\sigma(id_t)(\text{"srtc"}) = \text{false}$  and  $\sigma(id_t)(\text{"stc"}) < \Delta(id_t)(\text{"mtc"})$ , we can deduce  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"}) + 1$ .

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$  (Rule (4)), we can deduce  $s'.I(t) = s.I(t) + 1$ .

Rewriting the goal with  $\sigma'(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"stc"}) + 1$  and  $s'.I(t) = s.I(t) + 1$ , tautology.

- **CASE**  $s.I(t) = \text{upper}(I_s(t))$ :

By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (4)), we know that  $s'.I(t) = s.I(t) + 1$ . We assumed that  $s'.I(t) \leq \text{upper}(I_s(t))$ ; thus,  $s.I(t) + 1 \leq \text{upper}(I_s(t))$ .

Contradicts  $s.I(t) = \text{upper}(I_s(t))$ .

□

### A.4.3 Falling edge and condition values

**Lemma 36** (Falling edge equal condition values). *For all  $\text{sitpn}, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Definition 23, then  $\forall c \in \mathcal{C}, id_c \in \text{Ins}(\Delta)$  s.t.  $\gamma(c) = id_c$ ,  $s'.\text{cond}(c) = \sigma'(id_c)$ .*

*Proof.* Given a  $c \in \mathcal{C}$  and an  $id_c \in \text{Ins}(\Delta)$  s.t.  $\gamma(c) = id_c$ , let us show  $s'.\text{cond}(c) = \sigma'(id_c)$ .

By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (1)), we have  $s'.\text{cond}(c) = E_c(\tau, c)$ .

By property of the  $\text{Inject}_\downarrow$ , the  $\mathcal{H}$ -VHDL falling edge, the stabilize relations and  $id_c \in \text{Ins}(\Delta)$ , we have  $\sigma'(id_c) = E_p(\tau, \downarrow)(id_c)$ .

Rewriting the goal with  $s'.\text{cond}(c) = E_c(\tau, c)$  and  $\sigma'(id_c) = E_p(\tau, \downarrow)(id_c)$ :  $E_c(\tau, c) = E_p(\tau, \downarrow)(id_c)$

By definition of  $\gamma \vdash E_p \xrightarrow{\text{env}} E_c$ :  $E_c(\tau, c) = E_p(\tau, \downarrow)(id_c)$ .

□

### A.4.4 Falling and action executions

**Lemma 37** (Falling edge equal action executions). *For all  $\text{sitpn}, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Definition 23, then  $\forall a \in \mathcal{A}, id_a \in \text{Outs}(\Delta)$  s.t.  $\gamma(a) = id_a$ ,  $s'.\text{ex}(a) = \sigma'(id_a)$ .*

*Proof.* Given an  $a \in \mathcal{A}$  and an  $id_a \in \text{Outs}(\Delta)$  s.t.  $\gamma(a) = id_a$ , let us show  $s'.\text{ex}(a) = \sigma'(id_a)$ .

By property of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (2)):

$$s'.\text{ex}(a) = \sum_{p \in \text{marked}(s.M)} \mathbb{A}(p, a) \quad (\text{A.27})$$

By construction, the generated action process is a part of design  $d$ 's behavior, i.e there exist an  $sl \subseteq \text{Sigs}(\Delta)$  and an  $ss_a \in ss$  s.t.  $\text{ps}("action", \emptyset, sl, ss) \in d.cs$ .

By construction  $id_a$  is only assigned in the body of the action process during the initialization or a falling edge phase.

Let  $pls(a)$  be the set of actions associated to action  $a$ , i.e  $pls(a) = \{p \in P \mid \mathbb{A}(p, a) = \text{true}\}$ . Then, depending on  $pls(a)$ , there are two cases of assignment of output port  $id_a$ :

- **CASE**  $pls(a) = \emptyset$ :

By construction,  $id_a \Leftarrow \text{false} \in ss_{a\downarrow}$  where  $ss_{a\downarrow}$  is the part of the “action” process body executed during a falling edge phase.

By property of the  $\mathcal{H}$ -VHDL falling edge relation, the stabilize relation and  $\text{ps}("action", \emptyset, sl, ss_a) \in d.cs$ , we can deduce  $\sigma'(id_a) = \text{false}$ .

By property of  $\sum_{p \in \text{marked}(s.M)} \mathbb{A}(p, a)$  and  $pls(a) = \emptyset$ , we can deduce  $\sum_{p \in \text{marked}(s.M)} \mathbb{A}(p, a) = \text{false}$ .

Rewriting the goal with (A.27),  $\sigma'(id_a) = \text{false}$  and  $\sum_{p \in \text{marked}(s.M)} \mathbb{A}(p, a) = \text{false}$ , tautology.

- **CASE**  $pls(a) \neq \emptyset$ :

By construction,  $\text{id}_a \Leftarrow \text{id}_{mp_0} + \dots + \text{id}_{mp_n} \in ss_{a\downarrow}$ , where  $id_{mp_i} \in Sigs(\Delta)$ ,  $ss_{a\downarrow}$  is the part of the action process body executed during the falling edge phase, and  $n = |pls(a)| - 1$ .

By property of the  $\text{Inject}_{\downarrow}$ , the  $\mathcal{H}$ -VHDL falling edge relation, the stabilize relation, and  $\text{ps}("action", \emptyset, sl, ss) \in d.cs$ :

$$\sigma'(id_a) = \sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n}) \quad (\text{A.28})$$

Rewriting the goal with (A.27) and (A.28):  $\sum_{p \in \text{marked}(s.M)} \mathbb{A}(p, a) = \sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n})$

Let us reason on the value of  $\sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n})$ ; there are two cases:

- **CASE**  $\sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n}) = \text{true}$ :

Then, we can rewrite the goal as follows:  $\sum_{p \in \text{marked}(s.M)} \mathbb{A}(p, a) = \text{true}$ .

To prove the above goal, let us show  $\exists p \in \text{marked}(s.M) \text{ s.t. } \mathbb{A}(p, a) = \text{true}$ .

From  $\sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n}) = \text{true}$ , we can deduce that  $\exists id_{mp_i} \text{ s.t. } \sigma(id_{mp_i}) = \text{true}$ . Let us take an  $id_{mp_i}$  s.t.  $\sigma(id_{mp_i}) = \text{true}$ .

By construction, there exist a  $p \in pls(a)$ , an  $id_p \in Comps(\Delta)$ ,  $gm_p$ ,  $ipm_p$  and  $opm_p$  such that:

- \*  $\gamma(p) = id_p$
- \*  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$
- \*  $\langle \text{marked} \Rightarrow \text{id}_{mp_i} \rangle \in opm_p$

Let us take such a  $p$ ,  $id_p$ ,  $gm_p$ ,  $ipm_p$  and  $opm_p$ .

By property of stable  $\sigma$  and  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce  $\sigma(id_{mp_i}) = \sigma(id_p)(\text{"marked"})$ .

By property of stable  $\sigma$ ,  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the `determine_marked` process defined in the place design architecture, we can deduce:

$$\sigma(id_p)(\text{"marked"}) = \sigma(id_p)(\text{"sm"}) > 0 \quad (\text{A.29})$$

From  $\sigma(id_{mp_i}) = \sigma(id_p)(\text{"marked"})$ , (A.29) and  $\sigma(id_{mp_i}) = \text{true}$ , we can deduce that  $\sigma(id_p)(\text{"marked"}) = \text{true}$  and  $(\sigma(id_p)(\text{"sm"}) > 0) = \text{true}$ .

By property of  $\gamma$ ,  $E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ , we have  $s.M(p) = \sigma(id_p)(\text{"sm"})$ .

From  $s.M(p) = \sigma(id_p)(\text{"sm"})$  and  $(\sigma(id_p)(\text{"sm"}) > 0) = \text{true}$ , we can deduce  $p \in \text{marked}(s.M)$ , i.e  $s.M(p) > 0$ .

Let us use  $p$  to prove the goal:  $\mathbb{A}(p, a) = \text{true}$ .

By definition of  $p \in pls(a)$ ,  $\mathbb{A}(p, a) = \text{true}$ .

- **CASE**  $\sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n}) = \text{false}$ :

Then, we can rewrite the goal as follows:  $\sum_{p \in \text{marked}(s.M)} \mathbb{A}(p, a) = \text{false}$ .

To prove the above goal, let us show  $\boxed{\forall p \in \text{marked}(s.M) \text{ s.t. } \mathbb{A}(p, a) = \text{false.}}$

Given a  $p \in \text{marked}(s.M)$ , let us show  $\boxed{\mathbb{A}(p, a) = \text{false.}}$

Let us perform case analysis on  $\mathbb{A}(p, a)$ ; there are 2 cases:

\* **CASE  $\mathbb{A}(p, a) = \text{false.}$**

\* **CASE  $\mathbb{A}(p, a) = \text{true:}$**

By construction, there exist an  $id_p \in \text{Comps}(\Delta)$ ,  $gm_{tp}$ ,  $ipm_p$ ,  $opm_p$  and  $id_{mp_i} \in \text{Sigs}(\Delta)$  such that:

- $\gamma(p) = id_p$
- $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$
- $\langle \text{marked} \Rightarrow id_{mp_i} \rangle \in opm_p$

Let us take such a  $id_p$ ,  $gm_p$ ,  $ipm_p$ ,  $opm_p$  and  $id_{mp_i}$ .

By property of stable  $\sigma$ ,  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , and  $\langle \text{marked} \Rightarrow id_{mp_i} \rangle \in opm_p$ , we can deduce  $\sigma(id_{mp_i}) = \sigma(id_p)(\text{"marked"})$ .

By property of stable  $\sigma$ ,  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the `determine_marked` process defined in the place design architecture, we can deduce:

$$\sigma(id_p)(\text{"marked"}) = (\sigma(id_p)(\text{"sm"}) > 0) \quad (\text{A.30})$$

From  $\sigma(id_{mp_0}) + \dots + \sigma(id_{mp_n}) = \text{false}$ , we can deduce  $\sigma(id_{mp_i}) = \text{false}$ .

From  $\sigma(id_p)(\text{"marked"}) = \text{false}$ , we can deduce  $(\sigma(id_p)(\text{"sm"}) > 0) = \text{false}$ .

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , we have  $s.M(p) = \sigma(id_p)(\text{"sm"})$ , and thus, we can deduce that  $s.M(p) = 0$  (equivalent to  $(s.M(p) > 0) = \text{false}$ ).

Contradicts  $\boxed{p \in \text{marked}(s.M)}$  (i.e,  $s.M(p) > 0$ ).

□

#### A.4.5 Falling edge and function executions

**Lemma 38** (Falling edge equal function executions). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Definition 23, then  $\forall f \in \mathcal{F}, id_f \in \text{Outs}(\Delta)$  s.t.  $\gamma(f) = id_f$ ,  $s'.ex(f) = \sigma'(id_f)$ .*

*Proof.* Given an  $f \in \mathcal{F}$  and an  $id_f \in \text{Outs}(\Delta)$  s.t.  $\gamma(f) = id_f$ , let us show  $\boxed{s'.ex(f) = \sigma'(id_f)}$ .

By property of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ , we can deduce  $s.ex(f) = s'.ex(f)$ .

By construction,  $id_f$  is an output port identifier of boolean type in the  $\mathcal{H}$ -VHDL design  $d$  assigned by the function process only during the initialization or during a rising edge phase.

By property of the  $\mathcal{H}$ -VHDL `Inject↑`, rising edge, stabilize relations, and the function process, we can deduce  $\sigma(id_f) = \sigma'(id_f)$ .

Rewriting the goal with  $s.ex(f) = s'.ex(f)$  and  $\sigma(id_f) = \sigma'(id_f)$ ,  $\boxed{s.ex(f) = \sigma(id_f)}$ .

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ ,  $\boxed{s.ex(f) = \sigma(id_f)}$ .

□

#### A.4.6 Falling edge and firable transitions

**Lemma 39** (Falling edge equal firable). *For all  $sitpn$ ,  $d$ ,  $\gamma$ ,  $\Delta$ ,  $\sigma_e$ ,  $E_c$ ,  $E_p$ ,  $\tau$ ,  $s$ ,  $s'$ ,  $\sigma$ ,  $\sigma_i$ ,  $\sigma_\downarrow$ ,  $\sigma'$  that verify the hypotheses of Definition 23, then  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t, t \in Firable(s') \Leftrightarrow \sigma'(id_t)(“s_firable”) = \text{true}$ .*

*Proof.* Given a  $t \in T$  and  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show that

$$t \in Firable(s') \Leftrightarrow \sigma'(id_t)(“s_firable”) = \text{true}.$$

The proof is in two parts:

- Assuming that  $t \in Firable(s')$ , let us show  $\sigma'(id_t)(“s_firable”) = \text{true}$ .

Appealing to Lemma 40:  $\sigma'(id_t)(“s_firable”) = \text{true}$ .

- Assuming that  $\sigma'(id_t)(“s_firable”) = \text{true}$ , let us show  $t \in Firable(s')$ .

Appealing to Lemma 41:  $t \in Firable(s')$ .

□

**Lemma 40** (Falling edge equal firable 1). *For all  $sitpn$ ,  $d$ ,  $\gamma$ ,  $\Delta$ ,  $\sigma_e$ ,  $E_c$ ,  $E_p$ ,  $\tau$ ,  $s$ ,  $s'$ ,  $\sigma$ ,  $\sigma_i$ ,  $\sigma_\downarrow$ ,  $\sigma'$  that verify the hypotheses of Definition 23, then  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t, t \in Firable(s') \Rightarrow \sigma'(id_t)(“s_firable”) = \text{true}$ .*

*Proof.* Given a  $t \in T$  and  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ , and assuming that  $t \in Firable(s')$ , let us show  $\sigma'(id_t)(“s_firable”) = \text{true}$ .

By construction and by definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, “transition”, gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the  $\text{Inject}_\downarrow$  relation, the  $\mathcal{H}$ -VHDL falling edge relation, the stabilize relation,  $\text{comp}(id_t, “transition”, gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the firable process defined in the transition design architecture, we can deduce:

$$\sigma'(id_t)(“sfa”) = \sigma(id_t)(“se”) . \sigma(id_t)(“scc”) . \text{checktc}(\Delta(id_t), \sigma(id_t)) \quad (\text{A.31})$$

Term  $\text{checktc}(\Delta(id_t), \sigma(id_t))$  is defined as follows:

$$\begin{aligned} \text{checktc}(\Delta(id_t), \sigma(id_t)) = & \left( \text{not } \sigma(id_t)(“srtc”) . \right. \\ & \left[ (\Delta(id_t)(“tt”) = \text{TEMP\_A\_B} . (\sigma(id_t)(“stc”) \geq \sigma(id_t)(“A”) - 1) \right. \\ & \quad \cdot (\sigma(id_t)(“stc”) \leq \sigma(id_t)(“B”) - 1)) \\ & + (\Delta(id_t)(“tt”) = \text{TEMP\_A\_A} . (\sigma(id_t)(“stc”) = \sigma(id_t)(“A”) - 1)) \\ & + (\Delta(id_t)(“tt”) = \text{TEMP\_A\_INF} . (\sigma(id_t)(“stc”) \geq \sigma(id_t)(“A”) - 1)) \Big] \\ & + (\sigma(id_t)(“srtc”) . \Delta(id_t)(“tt”) \neq \text{NOT\_TEMP} . \sigma(id_t)(“A”) = 1) \\ & + \Delta(id_t)(“tt”) = \text{NOT\_TEMP} \end{aligned} \quad (\text{A.32})$$

Rewriting the goal with (A.31):  $\sigma(id_t)(\text{"se"}) \cdot \sigma(id_t)(\text{"scc"}) \cdot \text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}$ . Then, there are three points to prove:

$$1. \boxed{\sigma(id_t)(\text{"se"}) = \text{true}} :$$

From  $t \in \text{Firable}(s')$ , we can deduce  $t \in \text{Sens}(s'.M)$ . By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ , we have  $s.M = s'.M$ , and thus, we can deduce  $t \in \text{Sens}(s.M)$ .

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ , we know that  $t \in \text{Sens}(s.M)$  implies  $\sigma(id_t)(\text{"se"}) = \text{true}$ .

$$2. \boxed{\sigma(id_t)(\text{"scc"}) = \text{true}} :$$

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ :

$$\sigma(id_t)(\text{"scc"}) = \prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases} \quad (\text{A.33})$$

where  $\text{conds}(t) = \{c \in \mathcal{C} \mid \mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1\}$ .

Rewriting the goal with (A.33):  $\prod_{c \in \text{conds}(t)} \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases} = \text{true}$ .

To ease the reading, let us define  $f(c) = \begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases}$ .

Let us reason by induction on the left term of the goal:

- **BASE CASE:**  $\text{true} = \text{true}$ .

- **INDUCTION CASE:**

$$\prod_{c' \in \text{conds}(t) \setminus \{c\}} f(c') = \text{true}$$

$$f(c) \cdot \prod_{c' \in \text{conds}(t) \setminus \{c\}} f(c') = \text{true}.$$

Rewriting the goal with the induction hypothesis, simplifying the goal, and unfolding the

definition of  $f(c)$ :  $\begin{cases} E_c(\tau, c) & \text{if } \mathbb{C}(t, c) = 1 \\ \text{not}(E_c(\tau, c)) & \text{if } \mathbb{C}(t, c) = -1 \end{cases} = \text{true}$ .

As  $c \in \text{conds}(t)$ , let us perform case analysis on  $\mathbb{C}(t, c) = 1 \vee \mathbb{C}(t, c) = -1$ :

(a) **CASE**  $\mathbb{C}(t, c) = 1$ :  $E_c(\tau, c) = \text{true}$ .

By definition of  $t \in \text{Firable}(s')$ , we can deduce that  $s'.cond(c) = \text{true}$ . By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (1)), we have  $s'.cond(c) = E_c(\tau, c)$ . Thus,  $E_c(\tau, c) = \text{true}$ .

(b)  $\mathbb{C}(t, c) = -1$ :  $\boxed{\text{not } E_c(\tau, c) = \text{true}}$

By definition of  $t \in \text{Firable}(s')$ , we can deduce that  $s'.cond(c) = \text{false}$ . By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (1)), we have  $s'.cond(c) = E_c(\tau, c)$ . Thus,  $\text{not } E_c(\tau, c) = \text{true}$ .

3.  $\boxed{\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}}$ :

By definition of  $t \in \text{Firable}(s')$ , we have  $t \notin T_i \vee s'.I(t) \in I_s(t)$ . Let us perform case analysis on  $t \notin T_i \vee s'.I(t) \in I_s(t)$ :

(a) **CASE**  $t \notin T_i$ :  $\boxed{\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}}$

By construction,  $\langle \text{transition\_type} \Rightarrow \text{NOT\_TEMP} \rangle \in gm_t$ , and by property of the elaboration relation, we have  $\Delta(id_t)(\text{"tt"}) = \text{NOT\_TEMP}$ .

From  $\Delta(id_t)(\text{"tt"}) = \text{NOT\_TEMP}$ , and by definition of  $\text{checktc}(\Delta(id_t), \sigma(id_t))$ , we can deduce  $\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}$ .

(b) **CASE**  $s'.I(t) \in I_s(t)$ :  $\boxed{\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}}$

From  $s'.I(t) \in I_s(t)$ , we can deduce that  $t \in T_i$ . Thus, by construction, there exists  $tt \in \{\text{TEMP\_A\_B}, \text{TEMP\_A\_A}, \text{TEMP\_A\_INF}\}$  s.t.  $\langle \text{transition\_type} \Rightarrow tt \rangle \in gm_t$ . By property of the elaboration relation, we have  $\Delta(id_t)(\text{"tt"}) = tt$ , and thus, we know  $\Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP}$ . Therefore, we can simplify the term  $\text{checktc}(\Delta(id_t), \sigma(id_t))$  as follows:

$$\begin{aligned} \text{checktc}(\Delta(id_t), \sigma(id_t)) &= \left( \text{not } \sigma(id_t)(\text{"srtc"}) . \right. \\ &\quad \left[ (\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_B} . (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1) \right. \\ &\quad \left. . (\sigma(id_t)(\text{"stc"}) \leq \sigma(id_t)(\text{"B"}) - 1)) \right. \\ &\quad + (\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_A} . \\ &\quad \quad (\sigma(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"A"}) - 1)) \\ &\quad + (\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_INF} . \\ &\quad \quad (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1)) \left. \right] \\ &\quad + (\sigma(id_t)(\text{"srtc"}) . \sigma(id_t)(\text{"A"}) = 1) \end{aligned} \tag{A.34}$$

By definition of  $\gamma, E_c, \tau \vdash s \approx \sigma$ , we have  $s.\text{reset}_t(t) = \sigma(id_t)(\text{"srtc"})$ .

Let us perform case analysis on the value  $s.\text{reset}_t(t)$ :

i. **CASE**  $s.\text{reset}_t(t) = \text{true}$ :  $\boxed{\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}}$

From  $s.\text{reset}_t(t) = \sigma(id_t)(\text{"srtc"})$ , we can deduce that  $\sigma(id_t)(\text{"srtc"}) = \text{true}$ .

From  $\sigma(id_t)(\text{"srtc"}) = \text{true}$ , we can simplify the term  $\text{checktc}(\Delta(id_t), \sigma(id_t))$  as follows:

$$\text{checktc}(\Delta(id_t), \sigma(id_t)) = (\sigma(id_t)(\text{"A"}) = 1) \tag{A.35}$$

Rewriting the goal with (A.35), and simplifying the goal:  $\sigma(id_t)(A'') = 1$ .

By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (3)), from  $t \in Sens(s.M)$  and  $s.reset_t(t) = \text{true}$ , we can deduce  $s'.I(t) = 1$ . We know that  $s'.I(t) \in I_s(t)$ , and thus, we have  $1 \in I_s(t)$ .

By definition of  $1 \in I_s(t)$ , there exist an  $a \in \mathbb{N}^*$  and a  $ni \in \mathbb{N}^* \sqcup \{\infty\}$  s.t.  $I_s(t) = [a, ni]$  and  $1 \in [a, ni]$ .

By definition of  $1 \in [a, ni]$ , we have  $a \leq 1$ , and since  $a \in \mathbb{N}^*$ , we can deduce  $a = 1$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle \in ipm_t$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(A'') = a = 1$ .

- ii. **CASE**  $s.reset_t(t) = \text{false}$ :  $\boxed{\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}}$

From  $s.reset_t(t) = \sigma(id_t)(srtc)$ , we can deduce  $\sigma(id_t)(srtc) = \text{false}$ .

From  $\sigma(id_t)(srtc) = \text{false}$ , we can simplify the term  $\text{checktc}(\Delta(id_t), \sigma(id_t))$  as follows:

$$\begin{aligned} & \text{checktc}(\Delta(id_t), \sigma(id_t)) \\ &= \\ & (\Delta(id_t)(tt') = \text{TEMP\_A\_B} \cdot (\sigma(id_t)(stc') \geq \sigma(id_t)(A'') - 1) \\ & \quad \cdot (\sigma(id_t)(stc') \leq \sigma(id_t)(B'') - 1)) \\ & + (\Delta(id_t)(tt') = \text{TEMP\_A\_A} \cdot (\sigma(id_t)(stc') = \sigma(id_t)(A'') - 1)) \\ & + (\Delta(id_t)(tt') = \text{TEMP\_A\_INF} \cdot (\sigma(id_t)(stc') \geq \sigma(id_t)(A'') - 1)) \end{aligned} \quad (\text{A.36})$$

Let us perform case analysis on  $I_s(t)$ ; there are two cases:

- **CASE**  $I_s(t) = [a, b]$  where  $a, b \in \mathbb{N}^*$ ; then, either  $a = b$  or  $a \neq b$ :

- **CASE**  $a = b$ :

Then, we have  $I_s(t) = [a, a]$ , and by construction  $\langle \text{transition\_type} \Rightarrow \text{TEMP\_A\_A} \rangle \in gm_t$ . By property of the elaboration relation, we have  $\Delta(id_t)(tt') = \text{TEMP\_A\_A}$ ; thus we can simplify the  $\text{checktc}$  term as follows:

$$\text{checktc}(\Delta(id_t), \sigma(id_t)) = (\sigma(id_t)(stc') = \sigma(id_t)(A'') - 1) \quad (\text{A.37})$$

Rewriting the goal with (A.37), and simplifying the goal:

$$\boxed{\sigma(id_t)(stc') = \sigma(id_t)(A'') - 1.}$$

From  $s'.I(t) \in [a, a]$ , we can deduce that  $s'.I(t) = a$ . Let us perform case analysis on  $s.I(t) < \text{upper}(I_s(t))$  or  $s.I(t) \geq \text{upper}(I_s(t))$ :

- \* **CASE**  $s.I(t) < \text{upper}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , we have  $s.I(t) = \sigma(id_t)(stc')$ . By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (4)), we have  $s'.I(t) = s.I(t) + 1$ . From  $s'.I(t) = a$  and  $s'.I(t) = s.I(t) + 1$ , we can deduce  $a - 1 = s.I(t)$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle \in ipm_t$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(A'') = a$ .

Rewriting the goal with  $\sigma(id_t)(A'') = a$ ,  $s.I(t) = \sigma(id_t)(stc')$ , and  $a - 1 = s.I(t)$ : **tautology**.

- \* **CASE**  $s.I(t) \geq \text{upper}(I_s(t))$ :

In the case where  $s.I(t) > \text{upper}(I_s(t))$ , then  $s.I(t) > a$ . By definition of  $E_c, \tau \vdash$

$s \xrightarrow{\downarrow} s'$  (Rule (5)), we have  $s.I(t) = s'.I(t) = a$ . Then,  $a > a$  is a contradiction.

In the case where  $s.I(t) = \text{upper}(I_s(t))$ , then  $s.I(t) = a$ . By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (4)), we have  $s'.I(t) = s.I(t) + 1$ . Then, we have  $s'.I(t) = a$  and  $s'.I(t) = a + 1$ . Then,  $a = a + 1$  is a contradiction.

- CASE  $a \neq b$ :  $\boxed{\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}}$

Then, we have  $I_s(t) = [a, b]$ , and by construction  $\langle \text{transition\_type} \Rightarrow \text{TEMP\_A\_--B} \rangle \in gm_t$ . By property of the elaboration relation, we have  $\Delta(id_t)(tt) = \text{TEMP\_A\_B}$ ; thus we can simplify the term `checktc` as follows:

$$\begin{aligned} & \text{checktc}(\Delta(id_t), \sigma(id_t)) \\ &= \\ & (\sigma(id_t)(\text{stc}) \geq \sigma(id_t)(A) - 1) \wedge (\sigma(id_t)(\text{stc}) \leq \sigma(id_t)(B) - 1) \end{aligned} \tag{A.38}$$

Rewriting the goal with (A.38), and simplifying the goal:

$$\boxed{(\sigma(id_t)(\text{stc}) \geq \sigma(id_t)(A) - 1) \wedge (\sigma(id_t)(\text{stc}) \leq \sigma(id_t)(B) - 1)}.$$

Let us perform case analysis on  $s.I(t) < \text{upper}(I_s(t))$  or  $s.I(t) \geq \text{upper}(I_s(t))$ :

- \* CASE  $s.I(t) < \text{upper}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \approx \sigma$ , we have  $s.I(t) = \sigma(id_t)(\text{stc})$ . By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (4)), we have  $s'.I(t) = s.I(t) + 1$ . By definition of  $s'.I(t) \in [a, b]$ :

$$\begin{aligned} & \Rightarrow a \leq s'.I(t) \leq b \\ & \Rightarrow a \leq s'.I(t) \wedge s'.I(t) \leq b \\ & \Rightarrow a \leq s.I(t) + 1 \wedge s.I(t) + 1 \leq b \\ & \Rightarrow a - 1 \leq s.I(t) \wedge s.I(t) \leq b - 1 \end{aligned}$$

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle \in ipm_t$  and  $\langle \text{time\_B\_value} \Rightarrow b \rangle \in ipm_t$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(A) = a$  and  $\sigma(id_t)(B) = b$ .

Rewriting the goal with  $\sigma(id_t)(A) = a, \sigma(id_t)(B) = b$  and  $s.I(t) = \sigma(id_t)(\text{stc})$ :

$$\boxed{a - 1 \leq s.I(t) \wedge s.I(t) \leq b - 1.}$$

- \* CASE  $s.I(t) \geq \text{upper}(I_s(t))$ :

In the case where  $s.I(t) > \text{upper}(I_s(t))$ , then  $s.I(t) > b$ . By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (5)), we have  $s.I(t) = s'.I(t) = b$ . Then,  $b > b$  is a contradiction.

In the case where  $s.I(t) = \text{upper}(I_s(t))$ , then  $s.I(t) = b$ . By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (4)), we have  $s'.I(t) = s.I(t) + 1$ .

By definition of  $s'.I(t) \in [a, b]$ , we have  $s'.I(t) \leq b$ :

$$\begin{aligned} & \Rightarrow s.I(t) + 1 \leq b \\ & \Rightarrow b + 1 \leq b \text{ is contradiction.} \end{aligned}$$

- CASE  $I_s(t) = [a, \infty)$  where  $a \in \mathbb{N}^*$ :  $\boxed{\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}}$

By construction  $\langle \text{transition\_type} \Rightarrow \text{TEMP\_A\_INF} \rangle \in gm_t$ . By property of the elaboration relation, we have  $\Delta(id_t)(tt) = \text{TEMP\_A\_INF}$ ; thus we can simplify the term

`checktc` as follows:

$$\text{checktc}(\Delta(id_t), \sigma(id_t)) = (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1) \quad (\text{A.39})$$

Rewriting the goal with (A.39), and simplifying the goal:

$$\boxed{\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1.}$$

From  $s'.I(t) \in [a, \infty]$ , we can deduce  $a \leq s'.I(t)$ . Then, let us perform case analysis on  $s.I(t) \leq \text{lower}(I_s(t))$  or  $s.I(t) > \text{lower}(I_s(t))$ :

- **CASE**  $s.I(t) \leq \text{lower}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \approx \sigma$ , we have  $s.I(t) = \sigma(id_t)(\text{"stc"})$ .

By definition of  $E_c, \tau \vdash s \downarrow s'$  (Rule (4)), we have  $s'.I(t) = s.I(t) + 1$ :

$$\Rightarrow s'.I(t) \geq a$$

$$\Rightarrow s.I(t) + 1 \geq a$$

$$\Rightarrow s.I(t) \geq a - 1$$

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle \in ipm_t$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(\text{"A"}) = a$ .

Rewriting the goal with  $\sigma(id_t)(\text{"A"}) = a$  and  $s.I(t) = \sigma(id_t)(\text{"stc"})$ :

$$\boxed{s.I(t) \geq a - 1.}$$

- **CASE**  $s.I(t) > \text{lower}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \approx \sigma$ , we have  $\sigma(id_t)(\text{"stc"}) = \text{lower}(I_s(t)) = a$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle \in ipm_t$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(\text{"A"}) = a$ .

Rewriting the goal with  $\sigma(id_t)(\text{"stc"}) = a$  and  $\sigma(id_t)(\text{"A"}) = a$ :  $\boxed{a \geq a - 1.}$

□

**Lemma 41** (Falling Edge Equal Firable 2). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Definition 23, then  $\forall t \in T, id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t, \sigma'(id_t)(\text{"s\_firable"}) = \text{true} \Rightarrow t \in \text{Firable}(s')$ .*

*Proof.* Given a  $t \in T$  and  $id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ , and assuming that  $\sigma'(id_t)(\text{"s\_firable"}) = \text{true}$ , let us show  $\boxed{t \in \text{Firable}(s')}$ .

By construction and by definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the  $\text{Inject}_\downarrow$  relation, the  $\mathcal{H}$ -VHDL falling edge relation, the stabilize relation,  $\text{comp}(id_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the `firable` process defined in the transition design architecture, we can deduce:

$$\sigma'(id_t)(\text{"sfa"}) = \sigma(id_t)(\text{"se"}) \cdot \sigma(id_t)(\text{"scc"}) \cdot \text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true} \quad (\text{A.40})$$

From (A.40), we can deduce:

$$\sigma(id_t)(\text{"se"}) = \text{true} \quad (\text{A.41})$$

$$\sigma(id_t)(\text{"scc"}) = \text{true} \quad (\text{A.42})$$

$$\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true} \quad (\text{A.43})$$

Term  $\text{checktc}(\Delta(id_t), \sigma(id_t))$  as the same definition as in Lemma [Falling edge equal firable 1](#). By definition of  $t \in \text{Firable}(s')$ , there are three points to prove:

1.  $t \in \text{Sens}(s'.M)$
2.  $\forall c \in \mathcal{C}, \mathbb{C}(t, c) = 1 \Rightarrow s'.\text{cond}(c) = \text{true}$  and  $\mathbb{C}(t, c) = -1 \Rightarrow s'.\text{cond}(c) = \text{false}$
3.  $t \notin T_i \vee s'.I(t) \in I_s(t)$

Let us prove these three points:

1.  $t \in \text{Sens}(s'.M)$ :

By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$ , we have  $s.M = s'.M$ . Rewriting the goal with  $s.M = s'.M$ :  
 $t \in \text{Sens}(s.M)$ .

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ , we have  $\sigma(id_t)(\text{"se"}) = \text{true} \Leftrightarrow t \in \text{Sens}(s.M)$ .

From  $\sigma(id_t)(\text{"se"}) = \text{true}$ , we can deduce:  $t \in \text{Sens}(s.M)$ .

2.  $\forall c \in \mathcal{C}, \mathbb{C}(t, c) = 1 \Rightarrow s'.\text{cond}(c) = \text{true}$  and  $\mathbb{C}(t, c) = -1 \Rightarrow s'.\text{cond}(c) = \text{false}$

Given a  $c \in \mathcal{C}$ , there are two points to prove:

- (a)  $\mathbb{C}(t, c) = 1 \Rightarrow s'.\text{cond}(c) = \text{true}$ .
- (b)  $\mathbb{C}(t, c) = -1 \Rightarrow s'.\text{cond}(c) = \text{false}$ .

Let us prove these two points:

- (a) Assuming that  $\mathbb{C}(t, c) = 1$ , let us show  $s'.\text{cond}(c) = \text{true}$ .

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ , we have:

$$\sigma(id_t)(\text{"sc"}) = \prod_{c' \in \text{conds}(t)} \begin{cases} E_c(\tau, c') & \text{if } \mathbb{C}(t, c') = 1 \\ \text{not}(E_c(\tau, c')) & \text{if } \mathbb{C}(t, c') = -1 \end{cases} = \text{true} \quad (\text{A.44})$$

where  $\text{conds}(t) = \{c_i \in \mathcal{C} \mid \mathbb{C}(t, c_i) = 1 \vee \mathbb{C}(t, c_i) = -1\}$ .

From  $\mathbb{C}(t, c) = 1$ , we can deduce  $c \in \text{conds}(t)$ . By definition of the product expression, we have:

$$E_c(\tau, c) \cdot \prod_{c' \in \text{conds}(t) \setminus \{c\}} \begin{cases} E_c(\tau, c') & \text{if } \mathbb{C}(t, c') = 1 \\ \text{not}(E_c(\tau, c')) & \text{if } \mathbb{C}(t, c') = -1 \end{cases} = \text{true} \quad (\text{A.45})$$

From (A.45), we can deduce that  $E_c(\tau, c) = \text{true}$ .

By definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (1)), we have  $s'.\text{cond}(c) = E_c(\tau, c)$ .

Rewriting the goal with  $s'.\text{cond}(c) = E_c(\tau, c)$  and  $E_c(\tau, c) = \text{true}$ : [tautology](#).

(b) Assuming that  $\mathbb{C}(t, c) = -1$ , let us show  $s'.cond(c) = \text{false}$ .

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ , we have:

$$\sigma(id_t)(\text{"scc"}) = \prod_{c' \in \text{conds}(t)} \begin{cases} E_c(\tau, c') & \text{if } \mathbb{C}(t, c') = 1 \\ \text{not}(E_c(\tau, c')) & \text{if } \mathbb{C}(t, c') = -1 \end{cases} = \text{true} \quad (\text{A.46})$$

where  $\text{conds}(t) = \{c' \in \mathcal{C} \mid \mathbb{C}(t, c') = 1 \vee \mathbb{C}(t, c') = -1\}$ .

From  $\mathbb{C}(t, c) = -1$ , we can deduce  $c \in \text{conds}(t)$ . By definition of the product expression, we have:

$$\text{not } E_c(\tau, c) . \prod_{c' \in \text{conds}(t) \setminus \{c\}} \begin{cases} E_c(\tau, c') & \text{if } \mathbb{C}(t, c') = 1 \\ \text{not}(E_c(\tau, c')) & \text{if } \mathbb{C}(t, c') = -1 \end{cases} = \text{true} \quad (\text{A.47})$$

From (A.47), we can deduce that  $E_c(\tau, c) = \text{false}$ .

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$  (Rule (1)), we have  $s'.cond(c) = E_c(\tau, c)$ .

Rewriting the goal with  $s'.cond(c) = E_c(\tau, c)$  and  $E_c(\tau, c) = \text{false}$ : tautology.

3.  $t \notin T_i \vee s'.I(t) \in I_s(t)$

Reasoning on  $\text{checktc}(\Delta(id_t), \sigma(id_t)) = \text{true}$ , there are 3 cases:

- (a)  $(\text{not } \sigma(id_t)(\text{"srtc"}) . [\dots]) = \text{true}$ <sup>1</sup>
- (b)  $(\sigma(id_t)(\text{"srtc"}) . \Delta(id_t)(\text{"tt"}) \neq \text{NOT\_TEMP} . \sigma(id_t)(\text{"A"}) = 1) = \text{true}$
- (c)  $(\Delta(id_t)(\text{"tt"}) = \text{NOT\_TEMP}) = \text{true}$

- (a) **CASE**  $(\text{not } \sigma(id_t)(\text{"srtc"}) . [\dots]) = \text{true}$ :

Then, we can deduce  $\text{not } \sigma(id_t)(\text{"srtc"}) = \text{true}$  and  $[\dots] = \text{true}$ . From  $\text{not } \sigma(id_t)(\text{"srtc"}) = \text{true}$ , we can deduce  $\sigma(id_t)(\text{"srtc"}) = \text{false}$ , and from  $[\dots] = \text{true}$ , we have three other cases:

- i. **CASE**  $(\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_B} . (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1) . (\sigma(id_t)(\text{"stc"}) \leq \sigma(id_t)(\text{"B"}) - 1)) = \text{true}$
- ii. **CASE**  $(\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_A} . (\sigma(id_t)(\text{"stc"}) = \sigma(id_t)(\text{"A"}) - 1)) = \text{true}$
- iii. **CASE**  $(\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_INF} . (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1)) = \text{true}$

Let us prove the goal is these three contexts:

- i. **CASE**  $(\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_B} . (\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1) . (\sigma(id_t)(\text{"stc"}) \leq \sigma(id_t)(\text{"B"}) - 1)) = \text{true}$ :

Then, converting boolean equalities into intuitionistic predicates, we have:

- $\Delta(id_t)(\text{"tt"}) = \text{TEMP\_A\_B}$
- $\sigma(id_t)(\text{"stc"}) \geq \sigma(id_t)(\text{"A"}) - 1$
- $\sigma(id_t)(\text{"stc"}) \leq \sigma(id_t)(\text{"B"}) - 1$

---

<sup>1</sup>See equation (A.32) for the full definition.

By property of the elaboration relation, and  $\Delta(id_t)(tt) = \text{TEMP\_A\_B}$ , there exist  $a, b \in \mathbb{N}^*$  s.t.  $I_s(t) = [a, b]$ . Let us take such an  $a$  and  $b$ . Then, let us show  $s'.I(t) \in I_s(t)$ .

Rewriting the goal with  $I_s(t) = [a, b]$ :  $s'.I(t) \in [a, b]$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle$  and  $\langle \text{time\_B\_value} \Rightarrow b \rangle$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(A) = a$  and  $\sigma(id_t)(B) = b$ .

Rewriting the goal with  $\sigma(id_t)(A) = a$  and  $\sigma(id_t)(B) = b$ , and by definition of  $\in$ :  $\sigma(id_t)(A) \leq s'.I(t) \leq \sigma(id_t)(B)$ .

Now, let us perform case analysis on  $s.I(t) \leq \text{upper}(I_s(t))$  or  $s.I(t) > \text{upper}(I_s(t))$ :

- **CASE**  $s.I(t) \leq \text{upper}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , we have  $s.I(t) = \sigma(id_t)(stc)$ .

From  $\sigma(id_t)(se) = \text{true}$ , we can deduce  $t \in \text{Sens}(s.M)$ , and from  $\sigma(id_t)(srtc) = \text{false}$ , we can deduce  $s.reset_t(t) = \text{false}$ . Then, by definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (4)), we have  $s'.I(t) = s.I(t) + 1$ .

$$\Rightarrow \sigma(id_t)(A) \leq s.I(t) + 1 \leq \sigma(id_t)(B) \quad (\text{by } s'.I(t) = s.I(t) + 1)$$

$$\Rightarrow \sigma(id_t)(A) \leq \sigma(id_t)(stc) + 1 \leq \sigma(id_t)(B) \quad (\text{by } s.I(t) = \sigma(id_t)(stc))$$

$$\Rightarrow \sigma(id_t)(A) - 1 \leq \sigma(id_t)(stc) \leq \sigma(id_t)(B) - 1$$

We assumed  $\sigma(id_t)(stc) \geq \sigma(id_t)(A) - 1$  and  $\sigma(id_t)(stc) \leq \sigma(id_t)(B) - 1$ , and thus we can deduce:  $\sigma(id_t)(A) - 1 \leq \sigma(id_t)(stc) \leq \sigma(id_t)(B) - 1$

- **CASE**  $s.I(t) > \text{upper}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , we have  $\sigma(id_t)(stc) = \text{upper}(I_s(t)) = b$ .

Then, from  $\sigma(id_t)(stc) \leq \sigma(id_t)(B) - 1$ ,  $\sigma(id_t)(stc) = \text{upper}(I_s(t)) = b$  and  $\sigma(id_t)(B) = b$ , we can deduce the following contradiction:

$$\sigma(id_t)(B) \leq \sigma(id_t)(B) - 1.$$

- ( $\Delta(id_t)(tt) = \text{TEMP\_A\_A} . (\sigma(id_t)(stc) = \sigma(id_t)(A) - 1) = \text{true}$ ):

Then, converting boolean equalities into intuitionistic predicates, we have:

- $\Delta(id_t)(tt) = \text{TEMP\_A\_A}$
- $\sigma(id_t)(stc) = \sigma(id_t)(A) - 1$

By property of the elaboration relation, and  $\Delta(id_t)(tt) = \text{TEMP\_A\_A}$ , there exist  $a \in \mathbb{N}^*$  s.t.  $I_s(t) = [a, a]$ . Let us take such an  $a$ . Then, let us show  $s'.I(t) \in I_s(t)$ .

Rewriting the goal with  $I_s(t) = [a, a]$ :  $s'.I(t) \in [a, a]$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(A) = a$ .

Rewriting the goal with  $\sigma(id_t)(A) = a$ , unfolding the definition of  $\in$ , and simplifying the goal:  $s'.I(t) = \sigma(id_t)(A)$ .

Now, let us perform case analysis on  $s.I(t) \leq \text{upper}(I_s(t))$  or  $s.I(t) > \text{upper}(I_s(t))$ :

- **CASE**  $s.I(t) \leq \text{upper}(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \xrightarrow{\uparrow} \sigma$ , we have  $s.I(t) = \sigma(id_t)(stc)$ .

From  $\sigma(id_t)(se) = \text{true}$ , we can deduce  $t \in \text{Sens}(s.M)$ , and from  $\sigma(id_t)(srtc) = \text{false}$ , we can deduce  $s.reset_t(t) = \text{false}$ . Then, by definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (4)), we have  $s'.I(t) = s.I(t) + 1$ .

$$\begin{aligned} &\Rightarrow s.I(t) + 1 = \sigma(id_t)(A'') \quad (\text{by } s'.I(t) = s.I(t) + 1) \\ &\Rightarrow \sigma(id_t)(stc'') + 1 = \sigma(id_t)(A'') \quad (\text{by } s.I(t) = \sigma(id_t)(stc'')) \\ &\Rightarrow \sigma(id_t)(stc'') = \sigma(id_t)(A'') - 1 \quad (\text{assumption}) \end{aligned}$$

- **CASE**  $s.I(t) > upper(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \approx \sigma$ , we have  $\sigma(id_t)(stc'') = upper(I_s(t)) = a$ . Then, from  $\sigma(id_t)(stc'') = \sigma(id_t)(A'') - 1$ ,  $\sigma(id_t)(stc'') = upper(I_s(t)) = a$ ,  $\sigma(id_t)(A'') = a$ , and  $a \in \mathbb{N}^*$ , we can derive the following contradiction:

$$\sigma(id_t)(A'') = \sigma(id_t)(A'') - 1.$$

- iii.  $(\Delta(id_t)(tt') = \text{TEMP\_A\_INF} . (\sigma(id_t)(stc'') \geq \sigma(id_t)(A'') - 1)) = \text{true}$ :

Then, converting boolean equalities into intuitionistic predicates, we have:

- $\Delta(id_t)(tt') = \text{TEMP\_A\_INF}$
- $\sigma(id_t)(stc'') \geq \sigma(id_t)(A'') - 1$

By property of the elaboration relation, and  $\Delta(id_t)(tt') = \text{TEMP\_A\_INF}$ , there exist  $a \in \mathbb{N}^*$  s.t.  $I_s(t) = [a, \infty]$ . Let us take such an  $a$ . Then, let us show  $s'.I(t) \in I_s(t)$ .

Rewriting the goal with  $I_s(t) = [a, \infty]$ :  $s'.I(t) \in [a, \infty]$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(A'') = a$ .

Rewriting the goal with  $\sigma(id_t)(A'') = a$ , unfolding the definition of  $\in$ , and simplifying the goal:  $\sigma(id_t)(A'') \leq s'.I(t)$ .

Now, let us perform case analysis on  $s.I(t) \leq lower(I_s(t))$  or  $s.I(t) > lower(I_s(t))$ :

- **CASE**  $s.I(t) \leq lower(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \approx \sigma$ , we have  $s.I(t) = \sigma(id_t)(stc'')$ .

From  $\sigma(id_t)(se'') = \text{true}$ , we can deduce  $t \in Sens(s.M)$ , and from  $\sigma(id_t)(srtc'') = \text{false}$ , we can deduce  $s.reset_t(t) = \text{false}$ . Then, by definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (4)), we have  $s'.I(t) = s.I(t) + 1$ .

$$\begin{aligned} &\Rightarrow \sigma(id_t)(A'') \leq s.I(t) + 1 \quad (\text{by } s'.I(t) = s.I(t) + 1) \\ &\Rightarrow \sigma(id_t)(A'') \leq \sigma(id_t)(stc'') + 1 \quad (\text{by } s.I(t) = \sigma(id_t)(stc'')) \\ &\Rightarrow \sigma(id_t)(A'') - 1 \leq \sigma(id_t)(stc'') \quad (\text{assumption}) \end{aligned}$$

- **CASE**  $s.I(t) > lower(I_s(t))$ :

By definition of  $\gamma, E_c, \tau \vdash s \approx \sigma$ , we have  $\sigma(id_t)(stc'') = lower(I_s(t)) = a$ .

From  $\sigma(id_t)(se'') = \text{true}$ , we can deduce  $t \in Sens(s.M)$ , and from  $\sigma(id_t)(srtc'') = \text{false}$ , we can deduce  $s.reset_t(t) = \text{false}$ . Then, by definition of  $E_c, \tau \vdash s \xrightarrow{\downarrow} s'$  (Rule (4)), we have  $s'.I(t) = s.I(t) + 1$ .

$$\begin{aligned} &\Rightarrow \sigma(id_t)(A'') \leq s.I(t) + 1 \quad (\text{by } s'.I(t) = s.I(t) + 1) \\ &\Rightarrow a \leq s.I(t) + 1 \quad (\text{by } \sigma(id_t)(A'') = a) \\ &\Rightarrow a < s.I(t) \\ &\Rightarrow lower(I_s(t)) < s.I(t) \quad (\text{assumption}) \end{aligned}$$

- (b)  $(\sigma(id_t)(srtc') . \Delta(id_t)(tt') \neq \text{NOT\_TEMP} . \sigma(id_t)(A'') = 1) = \text{true}$

Then, converting boolean equalities into intuitionistic predicates, we have:

- $\sigma(id_t)(“srtc”) = \text{true}$
- $\Delta(id_t)(“tt”) \neq \text{NOT\_TEMP}$
- $\sigma(id_t)(“A”) = 1$

By property of the elaboration relation, and  $\Delta(id_t)(“tt”) \neq \text{NOT\_TEMP}$ , there exist an  $a \in \mathbb{N}^*$  and a  $ni \in \mathbb{N}^* \sqcup \{\infty\}$  s.t.  $I_s(t) = [a, ni]$ . Let us take such an  $a$  and  $ni$ .

By construction,  $\langle \text{time\_A\_value} \Rightarrow a \rangle \in ipm_t$ , and by property of stable  $\sigma$ , we have  $\sigma(id_t)(“A”) = a$ . Thus, we can deduce  $a = 1$  and  $I_s(t) = [1, ni]$ .

By definition of  $\gamma, E_c, \tau \vdash s \stackrel{\uparrow}{\approx} \sigma$ , from  $\sigma(id_t)(“se”) = \text{true}$ , we can deduce  $t \in Sens(s.M)$ , and from  $\sigma(id_t)(“srtc”) = \text{true}$ , we can deduce  $s.reset_t(t) = \text{true}$ .

By definition of  $E_c, \tau \vdash s \stackrel{\downarrow}{\rightarrow} s'$  (Rule (3)),  $t \in Sens(s.M)$  and  $s.reset_t(t) = \text{true}$ , we have  $s'.I(t) = 1$ .

Now, let us show  $\boxed{s'.I(t) \in I_s(t)}$ .

Rewriting the goal with  $s'.I(t) = 1$  and  $I_s(t) = [1, ni]$ :  $1 \in [1, ni]$ .

(c)  $(\Delta(id_t)(“tt”) = \text{NOT\_TEMP}) = \text{true}$

Let us show  $\boxed{t \notin T_i}$ .

By property of the elaboration relation and  $\Delta(id_t)(“tt”) = \text{NOT\_TEMP}$ , we have  $t \notin T_i$ .

□

**Lemma 42** (Falling edge equal not firable). *For all sitpn, d,  $\gamma$ ,  $\Delta$ ,  $\sigma_e$ ,  $E_c$ ,  $E_p$ ,  $\tau$ ,  $s$ ,  $s'$ ,  $\sigma$ ,  $\sigma_i$ ,  $\sigma_\downarrow$ ,  $\sigma'$  that verify the hypotheses of Definition 23, then  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t, t \notin \text{Firable}(s') \Leftrightarrow \sigma'(id_t)(“s\_firable”) = \text{false}$ .*

*Proof.* Proving the above lemma is trivial by appealing to Lemma 39 and by reasoning on contrapositives. □

#### A.4.7 Falling edge and fired transitions

**Lemma 43** (Falling Edge Equal Fired Set). *For all sitpn, d,  $\gamma$ ,  $\Delta$ ,  $\sigma_e$ ,  $E_c$ ,  $E_p$ ,  $\tau$ ,  $s$ ,  $s'$ ,  $\sigma$ ,  $\sigma_i$ ,  $\sigma_\downarrow$ ,  $\sigma'$  that verify the hypotheses of Definition 23, then  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t, \forall fset \subseteq T, s.t. IsFiredSet(s', fset), t \in fset \Leftrightarrow \sigma'(id_t)(“fired”) = \text{true}$ .*

*Proof.* Given a  $t \in T$ , and  $id_t \in Comps(\Delta)$ , and a  $fset \subseteq T$  s.t.  $IsFiredSet(s', fset)$ , let us show  $t \in fset \Leftrightarrow \sigma'(id_t)(“fired”) = \text{true}$ .

By definition of  $IsFiredSet(s', fset)$ , we have  $IsFiredSetAux(s', \emptyset, T, fset)$ .

Then, we can appeal to Lemma 44 to solve the goal, but first we must prove the following *extra hypothesis* (i.e, one of the premise of Lemma Falling edge equal fired set aux):

$\boxed{\forall t' \in T, id_{t'} \in Comps(\Delta) \text{ s.t. } \gamma(t') = id_{t'}, (t' \in \emptyset \Rightarrow \sigma'(id_{t'})(“fired”) = \text{true}) \wedge (\sigma'(id_{t'})(“fired”) = \text{true} \Rightarrow t' \in \emptyset \vee t' \in T)}$

Given a  $t' \in T$  and an  $id_{t'} \in Comps(\Delta)$  s.t.  $\gamma(t') = id_{t'}$ , there are two points to prove:

1.  $\boxed{t' \in \emptyset \Rightarrow \sigma'(id_{t'})(“fired”) = \text{true}}$

2.  $\boxed{\sigma'(id_{t'})(“fired”) = \text{true} \Rightarrow t' \in \emptyset \vee t' \in T}$

Let us show these two points:

- Assuming  $t' \in \emptyset$ , let us show  $\sigma'(id_{t'})(\text{"fired"}) = \text{true}.$

$t' \in \emptyset$  is a contradiction.

- Assuming  $\sigma'(id_{t'})(\text{"fired"}) = \text{true}$ , let us show  $t' \in \emptyset \vee t' \in T.$

By definition,  $t' \in T.$

□

**Lemma 44** (Falling edge equal fired set aux). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Definition 23, then  $\forall t \in T, id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t, \forall fired \subseteq T, T_s \subseteq T, fset \subseteq T$ , assume that:*

- $Is Fired Set Aux(s', fired, T_s, fset)$
- EH (Extra. Hypothesis):  
 $\forall t' \in T, id_{t'} \in Comps(\Delta)$  s.t.  $\gamma(t') = id_{t'}, (t' \in fired \Rightarrow \sigma'(id_{t'})(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"fired"}) = \text{true} \Rightarrow t' \in fired \vee t' \in T_s).$

then  $t \in fset \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}.$

*Proof.* Given a  $t \in T$ , an  $id_t \in Comps(\Delta)$ , a  $fired, T_s, fset \subseteq T$ , and assuming

$Is Fired Set Aux(s', fired, T_s, fset)$  and EH, let us show  $t \in fset \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}.$

Let us reason by induction on  $Is Fired Set Aux(s', fired, T_s, fset)$ .

- **BASE CASE:**  $t \in fired \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}.$

In that case,  $fired = fset$  and  $T_s = \emptyset$ , EH looks like this:

$\forall t' \in T, id_{t'} \in Comps(\Delta)$  s.t.  $\gamma(t') = id_{t'}, (t' \in fired \Rightarrow \sigma'(id_{t'})(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"fired"}) = \text{true} \Rightarrow t' \in fired \vee t' \in \emptyset).$

From EH, we can deduce  $t \in fired \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}.$

- **INDUCTION CASE:**  $t \in fset \Leftrightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}.$

In that case, we have:

- $Is Top Priority Set(T_s, tp)$
- $Elect Fired(s', fired, tp, fired')$
- $Fired Aux(s', fired', T_s \setminus tp, fset)$

$$\begin{aligned}
 & (\forall t' \in T, id_{t'} \in Comps(\Delta) \text{ s.t. } \gamma(t') = id_{t'}, \\
 & (\forall t' \in fired' \Rightarrow \sigma'(id_{t'})(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"fired"}) = \text{true} \Rightarrow t' \in fired' \vee t' \in \\
 & T_s \setminus tp)) \Rightarrow \\
 & t \in fset \Leftrightarrow \sigma'_t(\text{"fired"}) = \text{true}.
 \end{aligned}$$

Applying the induction hypothesis, then, the new goal is:

$$\begin{aligned} \forall t' \in T, id_{t'} \in Comps(\Delta) \text{ s.t. } \gamma(t') = id_{t'}, \\ (t' \in fired' \Rightarrow \sigma'(id_{t'})(\text{"fired"}) = \text{true}) \\ \wedge (\sigma'(id_{t'})(\text{"fired"}) = \text{true} \Rightarrow t' \in fired' \vee t' \in T_s \setminus tp) \end{aligned}$$

Apply Lemma [Elect Fired Equal Fired](#) to solve the goal.

□

**Lemma 45** (Elect Fired Equal Fired). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Definition 23, then  $\forall fired, fired', T_s, tp, fset \subseteq T$ , assume that:*

- $IsTopPrioritySet(T_s, tp)$
- $ElectFired(s', fired, tp, fired')$
- $FiredAux(s', fired', T_s \setminus tp, fset)$
- **EH (Extra. Hypothesis):**  
 $\forall t' \in T, id_{t'} \in Comps(\Delta) \text{ s.t. } \gamma(t') = id_{t'},$   
 $(t' \in fired \Rightarrow \sigma'(id_{t'})(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_{t'})(\text{"fired"}) = \text{true} \Rightarrow t' \in fired \vee t' \in T_s)$

then  $\forall t \in T, id_t \in Comps(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(t \in fired \Rightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_t)(\text{"fired"}) = \text{true} \Rightarrow t \in fired \vee t \in T_s \setminus tp).$

*Proof.* Given a  $t \in T$  and an  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ , let us show

$$(t \in fired \Rightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_t)(\text{"fired"}) = \text{true} \Rightarrow t \in fired \vee t \in T_s \setminus tp).$$

Let us reason by induction on  $ElectFired(s', fired, tp, fired')$ ; there are three cases:

1. **BASE CASE:**  $tp = \emptyset$  and  $fired = fired'$ .
2. **INDUCTIVE CASE:**  $tp = \{t_0\} \cup tp_0$  and  $t_0$  is elected to be fired.
3. **INDUCTIVE CASE:**  $tp = \{t_0\} \cup tp_0$  and  $t_0$  is not elected to be fired.

Let us prove the goal in these three contexts:

1. **BASE CASE:**

$$(t \in fired \Rightarrow \sigma'(id_t)(\text{"fired"}) = \text{true}) \wedge (\sigma'(id_t)(\text{"fired"}) = \text{true} \Rightarrow t \in fired \vee t \in T_s).$$

Apply EH to solve the goal.

2. **INDUCTIVE CASE:**  $tp = \{t_0\} \cup tp_0$  and  $t_0$  is elected to be fired.

In that case, we have:

- $IsTopPrioritySet(T_s, \{t_0\} \cup tp_0)$
- $ElectFired(s', fired \cup \{t_0\}, tp_0, fired')$
- $IsFiredSetAux(s', fired', T_s \setminus \{t_0\} \cup tp_0, fset)$
- $t_0 \in Firable(s')$

- $t_0 \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(t_i))$  where  $\text{Pr}(t, \text{fired}) = \{t' \mid t' \succ t \wedge t' \in \text{fired}\}$
- EH:  $\forall t' \in T, id_{t'} \in \text{Comps}(\Delta)$  s.t.  $\gamma(t') = id_{t'}$ ,  
 $(t' \in \text{fired} \Rightarrow \sigma'(id_{t'})(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in \text{fired} \vee t' \in T_s)$

$\forall T'_s \subseteq T,$   
 $\text{IsTopPrioritySet}(T'_s, tp_0) \Rightarrow$   
 $\text{IsFiredSetAux}(s', \text{fired}', T'_s \setminus tp_0, fset) \Rightarrow$   
 $(\forall t' \in T, id_{t'} \in \text{Comps}(\Delta)$  s.t.  $\gamma(t') = id_{t'},$   
 $(t' \in \text{fired} \cup \{t_0\} \Rightarrow \sigma'(id_{t'})(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in \text{fired} \cup \{t_0\} \vee t' \in T'_s)) \Rightarrow$   
 $\forall t \in T, id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t,$   
 $(t \in \text{fired}' \Rightarrow \sigma'(id_t)(f'') = \text{true}) \wedge (\sigma'(id_t)(f'') = \text{true} \Rightarrow t \in \text{fired}' \vee t \in T'_s \setminus tp_0)$

$\forall t \in T, id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t,$   
 $(t \in \text{fired}' \Rightarrow \sigma'_t(f'') = \text{true}) \wedge (\sigma'_t(f'') = \text{true} \Rightarrow t \in \text{fired}' \vee t \in T_s \setminus \{t_0\} \cup tp_0)$

To solve the goal, we can apply the induction hypothesis with  $T'_s = T_s \setminus \{t_0\}$ ; then, there are three points to prove:

- (a)  $\boxed{\text{IsTopPrioritySet}(T_s \setminus \{t_0\}, tp_0)}$
- (b)  $\boxed{\text{IsFiredSetAux}(s', \text{fired}', (T_s \setminus \{t_0\}) \setminus tp_0, fset)}$
- (c)  $\forall t' \in T, id_{t'} \in \text{Comps}(\Delta)$  s.t.  $\gamma(t') = id_{t'},$   
 $(t' \in \text{fired} \cup \{t_0\} \Rightarrow \sigma'_t(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in \text{fired} \cup \{t_0\} \vee t' \in T_s \setminus \{t_0\})$

Let us prove these three points:

- (a)  $\boxed{\text{IsTopPrioritySet}(T_s \setminus \{t_0\}, tp_0)}$

Not provable yet.

- (b)  $\boxed{\text{IsFiredSetAux}(s', \text{fired}', (T_s \setminus \{t_0\}) \setminus tp_0, fset)}.$

We know that  $(T_s \setminus \{t_0\}) \setminus tp_0 = T_s \setminus (\{t_0\} \cup tp_0)$ , and thus

$\text{IsFiredSetAux}(s', \text{fired}', T_s \setminus (\{t_0\} \cup tp_0), fset)$  is an assumption.

- (c)  $\forall t' \in T, id_{t'} \in \text{Comps}(\Delta)$  s.t.  $\gamma(t') = id_{t'},$   
 $(t' \in \text{fired} \cup \{t_0\} \Rightarrow \sigma'(id_{t'})(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in \text{fired} \cup \{t_0\} \vee t' \in T_s \setminus \{t_0\})$

Given a  $t' \in T$  and an  $id_{t'} \in \text{Comps}(\Delta)$  s.t.  $\gamma(t') = id_{t'}$ , let us show

$(t' \in \text{fired} \cup \{t_0\} \Rightarrow \sigma'(id_{t'})(f'') = \text{true})$   
 $\wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in \text{fired} \cup \{t_0\} \vee t' \in T_s \setminus \{t_0\}).$

The proof is in two parts.

- i. Assuming that  $t' \in \text{fired} \cup \{t_0\}$ , let us show  $\sigma'(id_{t'})(f) = \text{true}$ .

Case analysis on  $t' \in \text{fired} \cup \{t_0\}$ ; there are two cases:

- $t' \in \text{fired}$
- $t' = t_0$

Let us prove the goal in these two contexts.

- **CASE  $t' \in \text{fired}$ :** Thanks to EH, we can deduce  $\sigma'(id_{t'})(f) = \text{true}$ .

- **CASE  $t' = t_0$ :**

By definition of  $id_{t'}$ , there exist a  $gm_{t'}, ipm_{t'}, opm_{t'}$  s.t.  $\text{comp}(id_{t'}, "transition", gm_{t'}, ipm_{t'}, opm_{t'}) \in d.cs$ .

By property of the stabilize relation and  $\text{comp}(id_{t'}, "transition", gm_{t'}, ipm_{t'}, opm_{t'}) \in d.cs$ , and through the examination of the `fired_evaluation` process defined in the transition design architecture:

$$\sigma(id_{t'})(f) = \sigma(id_{t'})(sfa) . \sigma(id_{t'})(spc) \quad (\text{A.48})$$

Rewriting the goal with (A.48):  $\sigma(id_{t'})(sfa) . \sigma(id_{t'})(spc) = \text{true}$ .

Then, there are two points to prove:

A.  $\sigma(id_{t'})(sfa) = \text{true}$ .

B.  $\sigma(id_{t'})(spc) = \text{true}$ .

Let us prove these two points:

A.  $\sigma(id_{t'})(sfa) = \text{true}$ .

Appealing to Lemma 39, we can deduce  $\sigma(id_{t'})(sfa) = \text{true}$ .

B.  $\sigma(id_{t'})(spc) = \text{true}$ .

Appealing to Lemma 46, we can deduce  $\sigma(id_{t'})(spc) = \text{true}$ .

- ii. Assuming that  $\sigma'(id_{t'})(f) = \text{true}$ , let us show  $t' \in \text{fired} \cup \{t_0\} \vee t' \in T_s \setminus \{t_0\}$ .

From  $\sigma'(id_{t'})(f) = \text{true}$  and EH, we can deduce that  $t' \in \text{fired} \vee t' \in T_s$ .

Case analysis on  $t' \in \text{fired} \vee t' \in T_s$ .

- **CASE  $t' \in \text{fired}$ :** then, it is trivial to show  $t' \in \text{fired} \cup \{t_0\}$ .

- **CASE  $t' \in T_s$ :** We know that  $t_0 \in T_s$ . Therefore, either  $t' \in T_s \setminus \{t_0\}$ , or  $t' = t_0$ , and then,  $t' \in \text{fired} \cup \{t_0\}$ .

### 3. INDUCTIVE CASE: $tp = \{t_0\} \cup tp_0$ and $t_0$ is not elected to be fired.

- $\text{IsTopPrioritySet}(T_s, \{t_0\} \cup tp_0)$
- $\text{ElectFired}(s', \text{fired}, tp_0, \text{fired}')$
- $\text{IsFiredSetAux}(s', \text{fired}', T_s \setminus \{t_0\} \cup tp_0, fset)$
- $\neg(t_0 \in \text{Firable}(s') \wedge t_0 \in \text{Sens}(s'.M - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(t_i)))$
- EH:  
 $\forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'}$ ,  
 $(t' \in \text{fired} \Rightarrow \sigma'(id_{t'})(f) = \text{true}) \wedge (\sigma'(id_{t'})(f) = \text{true} \Rightarrow t' \in \text{fired} \vee t' \in T_s)$

$\forall T'_s \subseteq T,$   
 $\text{IsTopPrioritySet}(T'_s, tp_0) \Rightarrow$   
 $\text{IsFiredSetAux}(s', fired', T'_s \setminus tp_0, fset) \Rightarrow$   
 $(\forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'})$   
 $(t' \in fired \Rightarrow \sigma'(id_{t'})(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in fired \vee t' \in T'_s) \Rightarrow$   
 $\forall t \in T, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(t \in fired' \Rightarrow \sigma'(id_t)(f'') = \text{true}) \wedge (\sigma'(id_t)(f'') = \text{true} \Rightarrow t \in fired' \vee t \in T'_s \setminus tp_0)$

$\forall t \in T, id_t \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t) = id_t,$   
 $(t \in fired' \Rightarrow \sigma'(id_t)(f'') = \text{true}) \wedge (\sigma'(id_t)(f'') = \text{true} \Rightarrow t \in fired' \vee t \in T_s \setminus \{t_0\} \cup tp_0).$

Then, we can apply the induction hypothesis with  $T'_s = T_s \setminus \{t_0\}$ , then, there are three points to prove:

- (a)  $\boxed{\text{IsTopPrioritySet}(T_s \setminus \{t_0\}, tp_0)}$
- (b)  $\boxed{\text{IsFiredSetAux}(s', fired', (T_s \setminus \{t_0\}) \setminus tp_0, fset)}$
- (c)  $\boxed{\forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'},}$   
 $(t' \in fired \Rightarrow \sigma'(id_{t'})(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in fired \vee t' \in T_s \setminus \{t_0\})$

Let us prove these three points:

- (a)  $\boxed{\text{IsTopPrioritySet}(T_s \setminus \{t_0\}, tp_0)}$

Not provable yet.

- (b)  $\boxed{\text{IsFiredSetAux}(s', fired', (T_s \setminus \{t_0\}) \setminus tp_0, fset)}$

We know that  $(T_s \setminus \{t_0\}) \setminus tp_0 = T_s \setminus (\{t_0\} \cup tp_0)$ , and thus

$\text{IsFiredSetAux}(s', fired', T_s \setminus (\{t_0\} \cup tp_0), fset)$  is an assumption.

- (c)  $\boxed{\forall t' \in T, id_{t'} \in \text{Comps}(\Delta) \text{ s.t. } \gamma(t') = id_{t'},}$   
 $(t' \in fired \Rightarrow \sigma'(id_{t'})(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in fired \vee t' \in T_s \setminus \{t_0\})$

Given a  $t' \in T$  and an  $id_{t'} \in \text{Comps}(\Delta)$  s.t.  $\gamma(t') = id_{t'}$ , let us show

$(t' \in fired \Rightarrow \sigma'(id_{t'})(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in fired \vee t' \in T_s \setminus \{t_0\})$

The proof is in two parts:

- i. Assuming that  $t' \in fired$ , let us show  $\boxed{\sigma'(id_{t'})(f'') = \text{true}}.$

From  $t' \in fired$  and EH,  $\sigma'(id_{t'})(f'') = \text{true}.$

- ii. Assuming that  $\sigma'(id_{t'})(f'') = \text{true}$ , let us show  $\boxed{t' \in fired \vee t' \in T_s \setminus \{t_0\}}.$

Thanks to  $\sigma'(id_{t'})(f'') = \text{true}$  and EH, we know that:  $t' \in fired \vee t' \in T_s.$

Case analysis on  $t' \in fired \vee t' \in T_s$ ; there are two cases:

- **CASE**  $t' \in \text{fired}$ .

- **CASE**  $t' \in T_s$ :

From  $\text{IsTopPrioritySet}(T_s, \{t_0\} \cup tp_0)$ , we can deduce that  $t_0 \in T_s$ . Therefore, either  $t' \in T_s \setminus \{t_0\}$  or  $t' = t_0$ .

In the case where  $t' = t_0$ , we need to show a contradiction by proving

$t' \in \text{Firable}(s')$  and  $t' \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(t_i))$  based on  $\sigma'(id_{t'})(f'') = \text{true}$ .

By definition of  $id_{t'}$ , there exist a  $gm_{t'}, ipm_{t'}, opm_{t'}$  s.t.  $\text{comp}(id_{t'}, "transition", gm_{t'}, ipm_{t'}, opm_{t'}) \in d.cs$ .

By property of the stabilize relation and  $\text{comp}(id_{t'}, "transition", gm_{t'}, ipm_{t'}, opm_{t'}) \in d.cs$ :

$$\sigma(id_{t'})(f'') = \sigma(id_{t'})(sfa'') . \sigma(id_{t'})(spc'') = \text{true} \quad (\text{A.49})$$

From  $\sigma(id_{t'})(sfa'') = \text{true}$ , and appealing to Lemma **Falling edge equal firable**, we can deduce  $t' \in \text{Firable}(s')$ .

From  $\sigma(id_{t'})(spc'') = \text{true}$ , and appealing to Lemma **Stabilize Compute Priority Combination After Falling Edge**, we can deduce  $t' \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(t_i))$ .

Then, as  $t' = t_0, \neg(t_0 \in \text{Firable}(s') \wedge t_0 \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(t_i)))$  is a contradiction.

□

**Lemma 46** (Stabilize Compute Priority Combination After Falling Edge). *For all  $sitpn, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Definition 23, then  $\forall t \in T, id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ ,*

*$\forall fired, fired', T_s, tp, fset \subseteq T$  assume that:*

- $\text{IsTopPrioritySet}(T_s, \{t\} \cup tp)$
- $\text{ElectFired}(s', fired, tp, fired')$
- $\text{ FiredAux}(s', fired', T_s \setminus \{t\} \cup tp, fset)$
- EH:  $\forall t' \in T, id_{t'} \in \text{Comps}(\Delta)$  s.t.  $\gamma(t') = id_{t'}$ ,  
 $(t' \in fired \Rightarrow \sigma'(id_{t'})(f'') = \text{true}) \wedge (\sigma'(id_{t'})(f'') = \text{true} \Rightarrow t' \in fired' \vee t' \in T_s)$ .
- $t \in \text{Firable}(s')$

then  $t \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(t_i)) \Leftrightarrow \sigma'(id_t)(spc'') = \text{true}$

*Proof.* Given a  $t \in T$  and an  $id_t \in \text{Comps}(\Delta)$  s.t.  $\gamma(t) = id_t$ , a  $fired, fired', T_s, tp, fset \subseteq T$  and assuming all the above hypotheses, let us show

$$t \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(t_i)) \Leftrightarrow \sigma'(id_t)(spc'') = \text{true}.$$

By construction and by definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ .

By property of the stabilize relation,  $\text{comp}(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ , and through the examination of the priority\_authorization\_evaluation process defined in the transition design architecture, we can deduce:

$$\sigma'(id_t)(\text{"spc"}) = \prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] \quad (\text{A.50})$$

Rewriting the goal with (A.50):

$$t \in Sens(s'.M - \sum_{t_i \in Pr(t, \text{fired})} pre(t_i)) \Leftrightarrow \prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] = \text{true.}$$

Then, the proof is in two parts:

1.  $t \in Sens(s'.M - \sum_{t_i \in Pr(t, \text{fired})} pre(t_i)) \Rightarrow \prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] = \text{true}$
2.  $\prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] = \text{true} \Rightarrow t \in Sens(s'.M - \sum_{t_i \in Pr(t, \text{fired})} pre(t_i))$

Let us prove both sides of the equivalence:

1. Assuming that  $t \in Sens(s'.M - \sum_{t_i \in Pr(t, \text{fired})} pre(t_i))$ , let us show

$$\prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] = \text{true.}$$

Let us perform case analysis on  $input(t)$ ; there are 2 cases:

- CASE  $input(t) = \emptyset$ :

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow 1 \rangle \in gm_t$  and  $\langle \text{priority\_authorizations}(0) \Rightarrow \text{true} \rangle \in ipm_t$ .

By property of the elaboration relation, we have  $\Delta(id_t)(\text{"ian"}) = 1$ , and by property of the stabilize relation, we have  $\sigma'(id_t)(\text{"pauths"})[0] = \text{true}$ .

Rewriting the goal with  $\Delta(id_t)(\text{"ian"}) = 1$  and  $\sigma'(id_t)(\text{"pauths"})[0] = \text{true}$ , and simplifying the goal: **tautology**.

- CASE  $input(t) \neq \emptyset$ :

Then, let us show an equivalent goal:

$$\forall i \in [0, \Delta(id_t)(\text{"ian"}) - 1], \sigma'(id_t)(\text{"pauths"})[i] = \text{true.}$$

Given an  $i \in [0, \Delta(id_t)(\text{"ian"}) - 1]$ , let us show  $\sigma'(id_t)(\text{"pauths"})[i] = \text{true}$ .

By construction,  $\langle \text{input\_arcs\_number} \Rightarrow |input(t)| \rangle \in gm_t$ .

By property of the elaboration relation, we have  $\Delta(id_t)(\text{"ian"}) = |input(t)|$ . Then, we can deduce  $i \in [0, |input(t)| - 1]$ .

By construction, for all  $i \in [0, |input(t)| - 1]$ , there exist a  $p \in input(t)$  and an  $id_p \in Comps(\Delta)$  s.t.  $\gamma(p) = id_p$ , there exist a  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ , and there exist a  $j \in [0, |output(p)|]$  and an  $id_{ji} \in Sigs(\Delta)$  s.t.

$\langle \text{input\_arcs\_valid}(i) \Rightarrow id_{ji} \rangle \in ipm_t$  and  $\langle \text{output\_arcs\_valid}(j) \Rightarrow id_{ji} \rangle \in opm_t$ .

Let us take such a  $p \in \text{input}(t)$ ,  $\text{id}_p \in \text{Comps}(\Delta)$ ,  $gm_p, ipm_p, opm_p, j \in [0, |\text{output}(p)|]$  and  $\text{id}_{ji} \in \text{Sigs}(\Delta)$ .

Now, let us perform case analysis on the nature of the arc connecting  $p$  and  $t$ ; there are 2 cases:

- **CASE**  $\text{pre}(p, t) = (\omega, \text{test})$  or  $\text{pre}(p, t) = (\omega, \text{inhib})$ :

By construction,  $\langle \text{priority\_authorizations}(i) \Rightarrow \text{true} \rangle \in ipm_t$ , and by property of the stabilize relation:  $\sigma'(\text{id}_t)(\text{"pauths"})[i] = \text{true}$ .

- **CASE**  $\text{pre}(p, t) = (\omega, \text{basic})$ :

Let us define  $\text{output}_c(p) = \{t \in T \mid \exists \omega, \text{pre}(p, t) = (\omega, \text{basic})\}$ , the set of output transitions of  $p$  that are in conflict. Then, there are two cases, one for each way to solve the conflicts between the output transitions of  $p$ :

- \* **CASE** For all pair of transitions in  $\text{output}_c(p)$ , all conflicts are solved by mutual exclusion:

By construction,  $\langle \text{priority\_authorizations}(i) \Rightarrow \text{true} \rangle \in ipm_t$ , and by property of the stabilize relation:  $\sigma'(\text{id}_t)(\text{"pauths"})[i] = \text{true}$ .

- \* **CASE** The priority relation is a strict total order over the set  $\text{output}_c(p)$ :

By construction, there exists an  $\text{id}'_{ji} \in \text{Sigs}(\Delta)$  s.t.

$\langle \text{priority\_authorizations}(i) \Rightarrow \text{id}'_{ji} \rangle \in ipm_t$  and

$\langle \text{priority\_authorizations}(j) \Rightarrow \text{id}'_{ji} \rangle \in opm_p$ .

By property of the stabilize relation,  $\text{comp}(\text{id}_t, \text{"transition"}, gm_t, ipm_t, opm_t) \in d.cs$  and  $\text{comp}(\text{id}_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ , we can deduce:

$$\sigma'(\text{id}_t)(\text{"pauths"})[i] = \sigma'(\text{id}'_{ji}) = \sigma'(\text{id}_p)(\text{"pauths"})[j] \quad (\text{A.51})$$

Rewriting the goal with (A.51):  $\sigma'(\text{id}_p)(\text{"pauths"})[j] = \text{true}$ .

By property of the stabilize relation,  $\text{comp}(\text{id}_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ , and through the examination of the priority\_evaluation process defined in the place design behavior, we can deduce:

$$\sigma'(\text{id}_p)(\text{"pauths"})[j] = (\sigma'(\text{id}_p)(\text{"sm"}) \geq \text{vsots} + \sigma'(\text{id}_p)(\text{"oaw"})[j]) \quad (\text{A.52})$$

Let us define the **vsots** term as follows:

$$\text{vsots} = \sum_{i=0}^{j-1} \begin{cases} \sigma'(\text{id}_p)(\text{"oaw"})[i] & \text{if } \sigma'(\text{id}_p)(\text{"otf"})[i]. \\ & \sigma'(\text{id}_p)(\text{"oat"})[i] = \text{basic} \\ 0 & \text{otherwise} \end{cases} \quad (\text{A.53})$$

Rewriting the goal with (A.52):  $\sigma'(\text{id}_p)(\text{"sm"}) \geq \text{vsots} + \sigma'(\text{id}_p)(\text{"oaw"})[j]$

By definition of  $t \in \text{Sens}(s'.M - \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(t_i))$ , we can deduce:

$$s'.M(p) \geq \sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(p, t_i) + \omega.$$

Then, there are three points to prove:

(a)  $s'.M(p) = \sigma'(\text{id}_p)(\text{"sm"})$

(b)  $\omega = \sigma'(\text{id}_p)(\text{"oaw"})[j]$

$$(c) \boxed{\sum_{t_i \in Pr(t, \text{fired})} pre(p, t_i) = \text{vsots}}$$

Let us prove these three points:

$$(a) \boxed{s'.M(p) = \sigma'(id_p)(\text{"sm"})}$$

Appealing to Lemma 32:  $s'.M(p) = \sigma'(id_p)(\text{"sm"})$ .

$$(b) \boxed{\omega = \sigma'(id_p)(\text{"oaw"})[j]}$$

By construction, and as  $pre(p, t) = (\omega, \text{basic})$ , we have  $\langle \text{output\_arcs\_weights}(j) \Rightarrow \omega \rangle \in ipm_p$ .

By property of the stabilize relation and  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$ :

$$\boxed{\omega = \sigma'(id_p)(\text{"oaw"})[j].}$$

$$(c) \boxed{\sum_{t_i \in Pr(t, \text{fired})} pre(p, t_i) = \text{vsots}}$$

Let us replace the left and right term of the equality by their full definition:

$$\begin{aligned} & \sum_{t_i \in Pr(t, \text{fired})} \begin{cases} \omega \text{ if } pre(p, t_i) = (\omega, \text{basic}) \\ 0 \text{ otherwise} \end{cases} \\ &= \\ & \sum_{i=0}^{j-1} \begin{cases} \sigma'(id_p)(\text{"oaw"})[i] \text{ if } \sigma'(id_p)(\text{"otf"})[i]. \\ \sigma'(id_p)(\text{"oat"})[i] = \text{basic} \\ 0 \text{ otherwise} \end{cases} \end{aligned}$$

Let us define  $f(t_i) = \begin{cases} \omega \text{ if } pre(p, t_i) = (\omega, \text{basic}) \\ 0 \text{ otherwise} \end{cases}$  and

$$g(i) = \begin{cases} \sigma'(id_p)(\text{"oaw"})[i] \text{ if } \sigma'(id_p)(\text{"otf"})[i]. \\ \sigma'(id_p)(\text{"oat"})[i] = \text{basic} \\ 0 \text{ otherwise} \end{cases}$$

Let us reason by induction on the right term of the goal.

**BASE CASE:** then, we have  $i > j - 1$ , and then  $j = 0$ .

$$\boxed{\sum_{t_i \in Pr(t, \text{fired})} \begin{cases} \omega \text{ if } pre(p, t_i) = (\omega, \text{basic}) \\ 0 \text{ otherwise} \end{cases} = 0}$$

By property of the well-definition of  $sitpn$ , the priority relation is a strict total order over the transitions of set  $output_c(p)$ . This ordering is reflected in the ordering of the indexes of the output port priority\_authorizations for each place component instance. Thus, in the priority\_authorizations output port of a place component instance, the element of index 0 is connected to the transition of  $output_c(t)$  with the highest firing priority. We know that component  $id_t$  is connected to priority\_authorizations(0) in the output port map of component  $id_p$ . By construction, transition  $t$  is the transition of  $output_c(p)$  with the highest firing priority, i.e,

$\nexists t' \in \text{output}_c(p)$  s.t.  $t' \succ t$ .

For all transition  $t_i \in \text{Pr}(t, \text{fired})$ , either  $t_i$  is not in  $\text{output}_c(p)$ , and thus  $t_i$  has no effect in the value of the sum term  $\sum_{t_i \in \text{Pr}(t, \text{fired})} f(t_i)$ ; or,  $t_i \in \text{output}_c(p)$ . Then, by definition of  $t_i \in \text{Pr}(t, \text{fired})$ ,  $t_i \succ t$ , which is contradiction with  $\nexists t' \in \text{output}_c(p)$  s.t.  $t' \succ t$ .

**INDUCTIVE CASE:** then,  $0 \leq j - 1$ , and thus  $j > 0$ .

$$\text{For all } \text{Pr}' \subseteq T, g(0) + \sum_{t_i \in \text{Pr}'} f(t_i) = g(0) + \sum_{i=1}^{j-1} g(i)$$

$$\sum_{t_i \in \text{Pr}(t, \text{fired})} f(t_i) = g(0) + \sum_{i=1}^{j-1} g(i).$$

By definition of  $g(0)$ :

$$\sum_{t_i \in \text{Pr}(t, \text{fired})} f(t_i) = \begin{cases} \sigma'(id_p)(\text{"oaw"})[0] \text{ if } \sigma'(id_p)(\text{"otf"})[0] = \text{basic} \\ 0 \text{ otherwise} \end{cases} + \sum_{i=1}^{j-1} g(i).$$

Case analysis on the value of  $\sigma'(id_p)(\text{"otf"})[0] . \sigma'(id_p)(\text{"oat"})[0] = \text{basic}$ :

In the case where  $(\sigma'(id_p)(\text{"otf"})[0] . \sigma'(id_p)(\text{"oat"})[0] = \text{basic}) = \text{false}$ , then  $g(0) = 0$ , and we can use the induction hypothesis with  $\text{Pr}' = \text{Pr}(t, \text{fired})$  to prove the goal.

In the case where  $(\sigma'(id_p)(\text{"otf"})[0] . \sigma'(id_p)(\text{"oat"})[0] = \text{basic}) = \text{true}$ , then  $g(0) = \sigma'(id_p)(\text{"oaw"})[0]$ :

$$\sum_{t_i \in \text{Pr}(t, \text{fired})} f(t_i) = \sigma'(id_p)(\text{"oaw"})[0] + \sum_{i=1}^{j-1} g(i).$$

By construction, and knowing that  $j > 0$  and that the priority relation is a strict total order over the set  $\text{output}_c(p)$ , there exist a  $t_0 \in \text{output}_c(p)$ , an  $id_{t_0} \in \text{Comps}(\Delta)$ ,  $gm_{t_0}, ipm_{t_0}, opm_{t_0}$ , and an  $id_{ft_0} \in \text{Sigs}(\Delta)$  such that:

- $\gamma(t_0) = id_{t_0}$
- $t_0 \succ t$
- $\text{comp}(id_{t_0}, \text{"transition"}, gm_{t_0}, ipm_{t_0}, opm_{t_0}) \in d.cs$
- $\langle \text{fired} \Rightarrow id_{ft_0} \rangle \in opm_{t_0}$
- $\langle \text{output\_transitions\_fired}(0) \Rightarrow id_{ft_0} \rangle \in ipm_p$

By property of the stabilize relation,  $\text{comp}(id_p, \text{"place"}, gm_p, ipm_p, opm_p) \in d.cs$  and  $\text{comp}(id_{t_0}, \text{"transition"}, gm_{t_0}, ipm_{t_0}, opm_{t_0}) \in d.cs$ :

$$\sigma'(id_{t_0})(\text{"f"}) = \sigma'(id_{ft_0}) = \sigma'(id_p)(\text{"otf"})[0] = \text{true} \quad (\text{A.54})$$

From EH and  $\sigma'(id_{t_0})(“f”) = \text{true}$ , we have either  $t_0 \in \text{fired}$  or  $t_0 \in T_s$ .

□ In the case where  $t_0 \in \text{fired}$ , then, by definition of  $\Sigma$ :

$$f(t_0) + \sum_{t_i \in Pr(t, \text{fired}) \setminus \{t_0\}} f(t_i) = \sigma'(id_p)(“oaw”)[0] + \sum_{i=1}^{j-1} g(i).$$

By definition of  $t_0 \in \text{output}_c(p)$ , there exists  $\omega \in \mathbb{N}^*$  s.t.  $\text{pre}(p, t_0) = (\omega, \text{basic})$ . Thus, we have  $f(t_0) = \omega$

By construction,  $\langle \text{output\_arcs\_weights}(0) \Rightarrow \omega \rangle$ , and by property of the stabilize relation, we have  $\sigma'(id_p)(“oaw”)[0] = \omega$ . Thus, we can deduce that  $g(0) = \omega$ , and then we can rewrite the goal in order to apply the induction hypothesis with  $Pr' = Pr(t, \text{fired}) \setminus \{t_0\}$ .

□ In the case where  $t_0 \in T_s$ :

As  $t$  is a top-priority transition in set  $T_s$ , there exists no transition  $t' \in T_s$  s.t.  $t' \succ t$ . Contradicts  $t_0 \succ t$ .

2. Assuming that  $\prod_{i=0}^{\Delta(id_t)(“ian”)-1} \sigma'(id_t)(“pauths”)[i] = \text{true}$ , let us show

$$t \in \text{Sens}(s'.M - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(t_i)).$$

By definition of  $t \in \text{Sens}(s'.M - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(t_i))$ :

$$\begin{aligned} & \forall p \in P, \omega \in \mathbb{N}^*, \\ & ((\text{pre}(p, t) = (\omega, \text{basic}) \vee \text{pre}(p, t) = (\omega, \text{test})) \Rightarrow s'.M(p) - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(p, t_i) \geq \omega) \\ & \wedge (\text{pre}(p, t) = (\omega, \text{inhib}) \Rightarrow s'.M(p) - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(p, t_i) < \omega) \end{aligned}$$

Given a  $p \in P$  and an  $\omega \in \mathbb{N}^*$ , let us show

$$\begin{aligned} & ((\text{pre}(p, t) = (\omega, \text{basic}) \vee \text{pre}(p, t) = (\omega, \text{test})) \Rightarrow s'.M(p) - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(p, t_i) \geq \omega) \\ & \wedge (\text{pre}(p, t) = (\omega, \text{inhib}) \Rightarrow s'.M(p) - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(p, t_i) < \omega) \end{aligned}$$

By construction, there exists an  $id_p \in \text{Comps}(\Delta)$  s.t.  $\gamma(p) = id_p$ . By construction and by definition of  $id_p$ , there exist  $gm_p, ipm_p, opm_p$  s.t.  $\text{comp}(id_p, “place”, gm_p, ipm_p, opm_p) \in d.cs$ .

There are three different cases:

(a) Assuming that  $\text{pre}(p, t) = (\omega, \text{test})$ , let us show  $s'.M(p) - \sum_{t_i \in Pr(t, \text{fired})} \text{pre}(p, t_i) \geq \omega$ .

Then, assuming that the priority relation is well-defined, there exists no transition  $t_i$  connected by a basic arc to  $p$  that verifies  $t_i \succ t$ . This is because  $t$  is connected to  $p$  by a test

arc; thus,  $t$  is not in conflict with the other output transitions of  $p$ ; thus, there is no relation of priority between  $t$  and the output of  $p$ .

Then, we can deduce that  $\sum_{t_i \in Pr(t, fired)} pre(p, t_i) = 0$ .

Then, the new goal is  $s'.M(p) \geq \omega$ .

Knowing that  $t \in Firable(s')$ , thus,  $t \in Sens(s'.M)$ , thus, we have  $s'.M(p) \geq \omega$ .

(b) Assuming that  $pre(p, t) = (\omega, inhib)$ , let us show  $s'.M(p) - \sum_{t_i \in Pr(t, fired)} pre(p, t_i) < \omega$ .

Use the same strategy as above.

(c) Assuming that  $pre(p, t) = (\omega, basic)$ , let us show  $s'.M(p) - \sum_{t_i \in Pr(t, fired)} pre(p, t_i) \geq \omega$ .

Then, there are two cases:

- i. **CASE** For all pair of transitions in  $output_c(p)$ , all conflicts are solved by mutual exclusion.

Then, assuming that the priority relation is well-defined, it must not be defined over the set  $output_c(t)$ , and we know that  $t \in output_c(p)$  since  $pre(p, t) = (\omega, basic)$ .

Then, there exists no transition  $t_i$  connected to  $p$  by a **basic** arc that verifies  $t_i \succ t$ .

Then, we can deduce  $\sum_{t_i \in Pr(t, fired)} pre(p, t_i) = 0$ .

Then, the new goal is  $s'.M(p) \geq \omega$ .

We know  $t \in Firable(s')$ , thus,  $t \in Sens(s'.M)$ , thus,  $s'.M(p) \geq \omega$ .

- ii. **CASE** The priority relation is a strict total order over the set  $output_c(p)$ .

By construction, there exists  $id_t \in Comps(\Delta)$  s.t.  $\gamma(t) = id_t$ . By construction and by definition of  $id_t$ , there exist  $gm_t, ipm_t, opm_t$  s.t.  $comp(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ .

By construction, there exist  $j \in [0, |input(t)| - 1]$ ,  $k \in [0, |output(t)| - 1]$ , and  $id_{kj} \in Sigs(\Delta)$  s.t.  $<\text{priority\_authorizations}(j) \Rightarrow id_{kj}> \in ipm_t$  and

$<\text{priority\_authorizations}(k) \Rightarrow id_{kj}> \in opm_p$ . Let us take such an  $j, k$  and  $id_{kj}$ .

From  $\prod_{i=0}^{\Delta(id_t)(\text{"ian"})-1} \sigma'(id_t)(\text{"pauths"})[i] = \text{true}$ , we can deduce that for all  $i \in [0, \Delta(id_t)(\text{"ian"}) - 1], \sigma'(id_t)(\text{"pauths"})[i] = \text{true}$ .

By construction,  $<\text{input\_arcs\_number} \Rightarrow |input(t)|> \in gm_t$ , and by property of the elaboration relation, we have  $\Delta(id_t)(\text{"ian"}) = |input(t)|$ . Then, from  $j \in [0, |input(t)| - 1]$ , we can deduce  $j \in [0, \Delta(id_t)(\text{"ian"}) - 1]$ . And, from  $\forall i \in [0, \Delta(id_t)(\text{"ian"}) - 1], \sigma'(id_t)(\text{"pauths"})[i] = \text{true}$ , we can deduce  $\sigma'(id_t)(\text{"pauths"})[j] = \text{true}$ .

By property of the stabilize relation,  $comp(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$  and  $comp(id_t, "transition", gm_t, ipm_t, opm_t) \in d.cs$ :

$$\sigma'(id_p)(\text{"pauths"})[k] = \sigma'(id_{kj})\sigma'(id_t)(\text{"pauths"})[j] = \text{true} \quad (\text{A.55})$$

By property of the stabilize relation and  $comp(id_p, "place", gm_p, ipm_p, opm_p) \in d.cs$ :

$$\sigma'(id_p)(\text{"pauths"})[k] = (\sigma'(id_p)(\text{"sm"}) \geq \text{vsots} + \sigma'(id_p)(\text{"oaw"})[k]) \quad (\text{A.56})$$

Let us define the `vsots` term as follows:

$$\text{vsots} = \sum_{i=0}^{k-1} \begin{cases} \sigma'(\text{id}_p)(\text{"oaw"})[i] & \text{if } \sigma'(\text{id}_p)(\text{"otf"})[i]. \\ & \sigma'(\text{id}_p)(\text{"oat"})[i] = \text{basic} \\ 0 & \text{otherwise} \end{cases} \quad (\text{A.57})$$

From (A.55) and (A.56), we can deduce that  $\sigma'(\text{id}_p)(\text{"sm"}) \geq \text{vsots} + \sigma'(\text{id}_p)(\text{"oaw"})[k]$ . Then, there are three points to prove:

- A.  $s'.M(p) = \sigma'(\text{id}_p)(\text{"sm"})$
- B.  $\omega = \sigma'(\text{id}_p)(\text{"oaw"})[k]$
- C.  $\sum_{t_i \in \text{Pr}(t, \text{fired})} \text{pre}(p, t_i) = \text{vsots}$

See 1 for the remainder of the proof.

□

**Lemma 47** (Falling Edge Equal Not Fired). *For all  $\text{sitpn}, d, \gamma, \Delta, \sigma_e, E_c, E_p, \tau, s, s', \sigma, \sigma_i, \sigma_\downarrow, \sigma'$  that verify the hypotheses of Definition 23, then  $\forall t, \text{id}_t$  s.t.  $\gamma(t) = \text{id}_t, t \notin \text{Fired}(s') \Leftrightarrow \sigma'_t(\text{"fired"}) = \text{false}$ .*

*Proof.* Proving the above lemma is trivial by appealing to Lemma [Falling edge equal fired](#) and by reasoning on contrapositives. □



# Bibliography

- [1] Karima Berramla, El Abbassia Deba, and Mohammed Senouci. "Formal Validation of Model Transformation with Coq Proof Assistant". In: *2015 First International Conference on New Technologies of Information and Communication (NTIC)*. 2015 First International Conference on New Technologies of Information and Communication (NTIC). Nov. 2015, pp. 1–6. DOI: [10.1109/NTIC.2015.7368755](https://doi.org/10.1109/NTIC.2015.7368755).
- [2] Sandrine Blazy, Zaynah Dargaye, and Xavier Leroy. "Formal Verification of a C Compiler Front-End". In: *FM 2006: Formal Methods*. International Symposium on Formal Methods. Springer, Berlin, Heidelberg, Aug. 21, 2006, pp. 460–475. DOI: [10.1007/11813040\\_31](https://doi.org/10.1007/11813040_31). URL: [https://link.springer.com/chapter/10.1007/11813040\\_31](https://link.springer.com/chapter/10.1007/11813040_31) (visited on 05/25/2020).
- [3] Thomas Bourgeat et al. "The Essence of Bluespec: A Core Language for Rule-Based Hardware Design". In: *Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation*. PLDI 2020. New York, NY, USA: Association for Computing Machinery, June 11, 2020, pp. 243–257. ISBN: 978-1-4503-7613-6. DOI: [10.1145/3385412.3385965](https://doi.org/10.1145/3385412.3385965). URL: <https://doi.org/10.1145/3385412.3385965> (visited on 05/05/2021).
- [4] Timothy Bourke et al. "A Formally Verified Compiler for Lustre". In: (), p. 17.
- [5] Thomas Braibant and Adam Chlipala. "Formal Verification of Hardware Synthesis". In: *Computer Aided Verification*. Ed. by Natasha Sharygina and Helmut Veith. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer, 2013, pp. 213–228. ISBN: 978-3-642-39799-8. DOI: [10.1007/978-3-642-39799-8\\_14](https://doi.org/10.1007/978-3-642-39799-8_14).
- [6] Daniel Calegari et al. "A Type-Theoretic Framework for Certified Model Transformations". In: *Formal Methods: Foundations and Applications*. Ed. by Jim Davies, Leila Silva, and Adenilso Simao. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer, 2011, pp. 112–127. ISBN: 978-3-642-19829-8. DOI: [10.1007/978-3-642-19829-8\\_8](https://doi.org/10.1007/978-3-642-19829-8_8).
- [7] Adam Chlipala. "A Verified Compiler for an Impure Functional Language". In: *ACM SIGPLAN Notices* 45.1 (Jan. 17, 2010), pp. 93–106. ISSN: 0362-1340. DOI: [10.1145/1707801.1706312](https://doi.org/10.1145/1707801.1706312). URL: <https://doi.org/10.1145/1707801.1706312> (visited on 05/22/2020).
- [8] Benoît Combemale et al. "Essay on Semantics Definition in MDE. An Instrumented Approach for Model Verification". In: *Journal of Software* 4 (Nov. 1, 2009). DOI: [10.4304/jsw.4.9.943-958](https://doi.org/10.4304/jsw.4.9.943-958).
- [9] Lukasz Fronc and Franck Pommereau. "Towards a Certified Petri Net Model-Checker". In: *Programming Languages and Systems*. Ed. by Hongseok Yang. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer, 2011, pp. 322–336. ISBN: 978-3-642-25318-8. DOI: [10.1007/978-3-642-25318-8\\_24](https://doi.org/10.1007/978-3-642-25318-8_24).
- [10] A. Habibi and S. Tahar. "Design and Verification of SystemC Transaction-Level Models". In: *IEEE Transactions on Very Large Scale Integration (VLSI) Systems* 14.1 (Jan. 2006), pp. 57–68. ISSN: 1557-9999. DOI: [10.1109/TVLSI.2005.863187](https://doi.org/10.1109/TVLSI.2005.863187).

- [11] Hélène Leroux. "Méthodologie de conception d'architectures numériques complexes : du formalisme à l'implémentation en passant par l'analyse, préservation de la conformité. Application aux neuroprothèses". PhD thesis. Université Montpellier II - Sciences et Techniques du Languedoc, Oct. 28, 2014. URL: <https://tel.archives-ouvertes.fr/tel-01766458> (visited on 02/10/2020).
- [12] Xavier Leroy. "A Formally Verified Compiler Back-End". In: *Journal of Automated Reasoning* 43.4 (Nov. 4, 2009), p. 363. ISSN: 1573-0670. DOI: [10.1007/s10817-009-9155-4](https://doi.org/10.1007/s10817-009-9155-4). URL: <https://doi.org/10.1007/s10817-009-9155-4> (visited on 01/21/2020).
- [13] Andreas Lööw. "Lutsig: A Verified Verilog Compiler for Verified Circuit Development". In: *Proceedings of the 10th ACM SIGPLAN International Conference on Certified Programs and Proofs*. CPP 2021. New York, NY, USA: Association for Computing Machinery, Jan. 17, 2021, pp. 46–60. ISBN: 978-1-4503-8299-1. DOI: [10.1145/3437992.3439916](https://doi.org/10.1145/3437992.3439916). URL: <https://doi.org/10.1145/3437992.3439916> (visited on 05/04/2021).
- [14] Said Meghzili et al. "On the Verification of UML State Machine Diagrams to Colored Petri Nets Transformation Using Isabelle/HOL". In: *2017 IEEE International Conference on Information Reuse and Integration (IRI)*. 2017 IEEE International Conference on Information Reuse and Integration (IRI). Aug. 2017, pp. 419–426. DOI: [10.1109/IRI.2017.8250700](https://doi.org/10.1109/IRI.2017.8250700).
- [15] Martin Strecker. "Formal Verification of a Java Compiler in Isabelle". In: *Automated Deduction—CADE-18*. International Conference on Automated Deduction. Springer, Berlin, Heidelberg, July 27, 2002, pp. 63–77. DOI: [10.1007/3-540-45620-1\\_5](https://doi.org/10.1007/3-540-45620-1_5). URL: [https://link.springer.com/chapter/10.1007/3-540-45620-1\\_5](https://link.springer.com/chapter/10.1007/3-540-45620-1_5) (visited on 06/08/2020).
- [16] Yong Kiam Tan et al. "A New Verified Compiler Backend for CakeML". In: (), p. 14.
- [17] Freek Wiedijk. "The De Bruijn Factor". In: (Aug. 12, 2000).
- [18] Zhibin Yang et al. "From AADL to Timed Abstract State Machines: A Verified Model Transformation". In: *Journal of Systems and Software* 93 (July 1, 2014), pp. 42–68. ISSN: 0164-1212. DOI: [10.1016/j.jss.2014.02.058](https://doi.org/10.1016/j.jss.2014.02.058). URL: <http://www.sciencedirect.com/science/article/pii/S0164121214000727> (visited on 01/16/2020).
- [19] Zhibin Yang et al. "Towards a Verified Compiler Prototype for the Synchronous Language SIGNAL". In: *Frontiers of Computer Science* 10.1 (Feb. 1, 2016), pp. 37–53. ISSN: 2095-2236. DOI: [10.1007/s11704-015-4364-y](https://doi.org/10.1007/s11704-015-4364-y). URL: <https://doi.org/10.1007/s11704-015-4364-y> (visited on 01/21/2020).