Copyright © 1999, by the author(s). All rights reserved.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission. EMBEDDED SOFTWARE -

AN AGENDA FOR RESEARCH by

Edward A. Lee

Memorandum No. UCB/ERL M99/63

11 December 1999 EMBEDDED SOFTWARE -

AN AGENDA FOR RESEARCH

by

Edward A. Lee

Memorandum No. UCB/ERL M99/63

11 December 1999

ELECTRONICS RESEARCH LABORATORY

College ofEngineering University ofCalifornia, Berkeley 94720 Embedded Software — An Agenda for Research

Edward A. Lee University of California at Berkeley [email protected]

December 11,1999

1.0 EMBEDDED SOFTWARE 1.1 Components

Embedded software is that which resides in devices that Components are an old concept with a new urgency. It arenotfirst-and-foremost computers. It is pervasive, appear seems obvious that complex embedded software will have to ing in vehicles, telephones, pagers, audio equipment, air be constructed from distinct modules of some sort. Ideally, craft, appliances, toys, security systems, games, PDAs, these modules are reusable, and embody valuable expertise medical diagnostics, weapons, pacemakers, television sets, in one or more aspects of the problem domain. video production equipment, network switches, printers, Software components for embedded systems are already scanners, climate control systems, manufacturing systems, a viable business. Many modems and cellular telephones etc. Embedded software engages the physical world, inter incorporate software components licensed from third parties acting directly with sensors and actuators. (primarily for the signal processingfunctions such as speech A technically active persontoday probably interacts reg coding and the radio modem). While these components do ularly with moreembedded software than conventional pro embody considerable expertise with some very difficult grams. This is a relatively recent phenomenon. Not so long functionality, their definition is ad-hoc, their architecture ago automobiles depended on finely tuned mechanical sys unsophisticated, and their role in a system totallystatic. They tems for the timing of ignition and its synchronization with will not adapt well as these systems are made network aware other actions. Today, embedded software has taken over and configurable. Networked embedded systems are likely these functions. to dynamically alter their architecture, as agents, changing service demands, and new software components arrive over Embedded software is traditionally the domain of prac ticingengineers, not research scientists. As a software prob the network. lem, it has been viewed by some as too small, too "retro" in In software, it is arguable that the most widely applied its use of quaint techniques such as assembly language pro component technology is subroutines. Subroutines are finite gramming, and too limited by hardware costs. The best soft computations that take pre-defined arguments and produce ware technologies, with their profligate use of memory, final results. Subroutinelibraries are marketable component layers of abstraction, elaborate algorithms, and statistical repositories. optimizationjust did not seem applicable. Since the research Subroutines,however,are a poor match for many embed results did not fit the problem, the problem was not interest ded system problems. Consider for example a speech coder ing. for a cellular telephone. It is artiticial to define the speech This has changed. Researchers now recognize the impor coder in terms of finite computations. It can be done of tance ofthe area and are beginning to retool their research to course, particularly with the help of syntactic mechanism address the very real, and very different software problems such as objects, which facilitate packaging data that persists ofembedded systems. across subroutine calls together with those subroutines. One reason for the changeis simply that hardware capa However, a speech coder is more like a process than a sub routine. It is a non terminating computation that transforms bilities have improved sufficiently that the profligate tech an unbounded stream ofinput data into an unbounded stream niques of old seem within reach for embedded systems. of output data. Indeed, a commercial speech coder compo However, thisproves onlyan enticement to look at the prob lem.The techniques need signiHcant adaptation. nent for cellular telephonyis likelyto be defined as a process that expects to execute on a dedicated signal processor. A second reason for the change is that embedded soft warehas become muchharderto design. Embedded systems Processes, and their cousin, threads, are widely used for are increasingly networked, which introduces significant concurrent software design. Indeed, processes can be viewed as a component technology, where a multitasking operating complications such as downloadable modules that dynami system or multithreaded execution engine provides the cally reconfigure the system. Moreover, consumers demand framework that coordinates the components. Component ever more elaborate functionality, which greatly increases the complexity of the software, making it much more diffi interaction mechanisms, monitors, semaphores, and remote cult for a single engineer to accomplish the task by finely procedure calls, are supported by the framework. In this con- tuning a few tens of kilobytes of assembly code. text, a process can be viewed as a component that exposes at chronous message passing? Rendezvous? Sema its interface an ordered sequenceof external interactions. phores? Monitors? Publish and subscribe? Timed However, as a component technology, processes and events? Transfer of control? In the latter case, the threads areextremely weak. A composition of twoprocesses components are states and their interactions are state is not a process (it no longer exposes at its interface an transitions. orderedsequence of externalinteractions). Worse, a compo • Lexicon. The lexicon of a framework is the vocabu sition of two processes is not a component of any sort that lary of the interaction of components. For components we can easily characterize. It is for Uiis reason that concur that interact by sending messages, thelexicon is a type rent programs built from processes or threads are so hard to system that defines the possible messages. The words get right.It is verydifficultto talkabouttheproperties of the of the vocabulary are types in some language(or fam aggregate because we have no ontology for the aggregate. ily of languages, as in CORBA). We don't know what it is. Along any of these dimensions, a framework may be very 1.2 Frameworks broad or very specific. The more constraints there are, the more specific it is. Ideally, this specificity comes with bene In this context, a framework is a set of constraints on fits. For example,Unix pipes do not support feedbackstruc components and their interaction, and a set of beneflts that tures, and therefore cannot deadlock. The internet is a derive from those constraints^ This is broader than, butcon firamework that primarily constrains the lexicon (byte sistent with the definition of frameworks in object-oriented streams) and the protocols (TCP/IP, UDP, and HTTP). These design [43]. By this deHnition, there are a huge number of constraints producethe primarybenefit of platformindepen frameworks, some of which are purelyconceptual, cultural, dence. or even philosophical, and some of which are embodied in Common practice in concurrent programming is that the software. Operating systems are frameworks where the com framework components are threads (the ontology), which ponents are programs or processes. Programming languages sharememory (theepistemology), and exchange objects(the are frameworks where the components are language primi lexicon) using semaphores and monitors (the protocols). tives and aggregates of these primitives, and the possible Thisis a verybroad framework withfewbenefits. In particu interactions are definedby the grammar. Distributed compo lar, it is hard to talk about the properties of an aggregate of nent middleware such as CORBA [9] and DCOM are frame components because an aggregate of components is not a works. Synchronous digitalhardware designprinciples are a component in the framework. framework. JavaBeansforma framework that is particularly A framework is often deeply ingrained in the human cul tuned to user interface construction. A particular class ture of the designers that use the framework. It fades out of library and policies for its use is a framework [43]. thedomain of discourse. I will aiguethattheTuring sequen- For any particular application domain, some frameworks tiality of computation issodeeply ingrained in contemporary are better than others. Operating systems with no real-time computer science culture that we no longer realize just how facilities have limited utility in embedded systems, for thoroughly we have banished time from the domain of dis example. In order to evaluate the usefulness of a framework, course. it is helpful to orthogonalize its services. The key challenge in embedded software research is to • Ontology. A framework defines what it means to be a invent frameworks with properties that better match the component. For example, is a component a subrou application domain. One of the requirements is that time be tine? A state transformation? A process? An object?A re-introduced. consequence of this definition is that an aggregate of components may or may not be a component. Certain 1.3 Models of computation semantic properties of components also flow from the definition. Is a component active or passive (can it A particularly useful sort of framework is a concurrent autonomously initiate interactions with other compo model of computation.The components in such a model are nents or does it simply react to stimulus)? entities capable of performing some computation, where conceptually (and maybe actually) the components perform • Epistemology. A framework defines states of knowl their computations in parallel. The model may restrict the edge. What does the framework know about the com components further by stating, for example, that components ponents? What do components know about one perform finite computations only in response to stimulus another? Can components interrogate one another to (from other components or from the framework, as for obtain information(i.e. is there reflectionor introspec example when a run-time scheduler is used). The mechanism tion)? What do components know about time? More by which components communicate is defined by the model generally, what information do components share? of computation. A model of computation, therefore, defines Scoping rules are part of the epistemology of many the ontology and protocols of a framework, and possibly frameworks. Connectivity of distributed components some or all of the epistemology, but none of the lexicon. are another part of the epistemology. Later we will give many examples of concurrent models of • Protocols. A framework constrains the mechanisms computation. by which components can interact. Do they use asyn

1. This elegantdefinitionis due to Bob Laddaga. 1.4 Domain specificity text. For instance, it often reduces concurrency to Embedded software oftenencapsulates domain expertise, "interleavings," whichtrivialize time by asserting that particularly when processing sensor dataor controlling actu all computations are equivalent to sequences of dis ators. Even very smallprograms may contain very sophisti crete time-less operations. cated algorithms, requiring deep understanding of the • In embedded systems, liveness is a critical issue. Pro domain and of supporting technologies such as signal pro grams must not terminate. In the Turing-Church view cessing. Theemerging embedded software components busi of computation, all non-terminatingprogramsfall into ness is a consequence of this. It is very difficult toreplicate a an equivalence class, implicitly deemed to be a class toll-quality speech coderor a radio modem withcommodity of defective programs. In embedded computing, how programmers. ever, terminating programs are defective. The term Partly because it is recent, and partly because of the "deadlock" pejoratively describes premature termina domain expertise required, embedded software is often tion ofsuch systems. It is to be avoided at all costs. designed by engineers who are classically trained in the • Typesystems are one of thegreat practical triumphs of domain, for example in internal combustion engines. They contemporary software. They do more than any other havelittlebackground in the theory of computation, concur formal method to ensure correctness of software. rency,object-orienteddesign, operating systems, and seman Object-oriented languages, with their user-defined tics. hi fact, it is arguable that Aese disciplines have littleto abstract data types, have had a big impact in both reus ofter to the embedded systemdesigner today becauseof their ability of software (witness the Java class libraries) mismatched assumptions about the role of time and because and the quality of software. Combined with design oftheir profligate use ofhardware resources. But these disci patterns [26] and object modeling [24], type systems plines will be essential if embedded software is to become give us a vocabulary for talking about larger structure more complex, modular, adaptive, and network aware. in software than lines of code and subroutines. How ever, object-oriented programming talks only about 1.5 Computation static structure. It is about the syntax of procedural programs, and says nothing about their concurrency or Why do we need to invent new frameworks? There are so many already. It is helpful to examine the underlying dynamics. Forexample, it is not part of the typesigna assumptions in modem approaches to computation to see ture of an object that the initialize() method must be what is missing. called before the go() method. Temporal properties of an object (method x() must be invoked every 10ms) • Time has been systematically removed from theories are also not part of the type signature. Work with of computation, since it is an annoyingproperty that active objects and actors [3][4] move a bit in the right computations take time. "Pure" computation does not direction by being a bit more explicit about dynamic take time, and has nothing to do with time. It is hard to properties of the interfaces of components. But they overemphasize how deeply rooted this is in our cul do not say enough about interfaces to ensure safety, ture. So called "real-time" operating systems have so liveness, consistency, or real-time behavior. little to go on that they often reduce the characteriza • Computer architecture, which would seem to be closer tion of a component(a process) to a single number, its priority. Even most "temporal" logics talk about to the physical world, and hence closer in spirit to "eventually" and"always," wheretimeis not a quanti embeddedsystems, has been tendingtowardsmaking fier, but rather a qualifier [64]. Attempts to imbue things harder for the designers of embedded systems. Much of the (architectural) performance gain in mod object-oriented design with real-time are far from sat isfactory [22]. Variants with more direct temporal rep em processors comes from statistical speedups such as resentations, such as timed I/O automata [63], elaborate caching schemes, speculative instruction execution, dynamic dispatch, and branch prediction. represent a step in the right direction, and need to be These techniques greatlycompromisethe reliabilityof adapted for the embeddedsystem design culture. Even the widely used term "synchronous," despite the embedded systems the way they are designed today, Greek root "chronos," has little to do with time (as and in fact are mostly not used in embedded proces usually used). It is a logicalpropertyof events, a set of sors such as programmable DSPs and microcontrol ordering constraints. Embedded systems confront time lers. I believe that these techniques have such a big the way humans do: as a relentless, measurable march. impact on average case performance that they are indispensable. But the software world will have find • In software practice, management of concurrency is abstractions that regain control of time, or the embed extremely primitive. Semaphores and monitors are the ded system designers will continue to refuse to use assembly language levelof concurrency. They are too these processors. difficult to use reliably, except by operating system experts. Only trivial designs are completelycompre The drastic mismatch between many of the modem software hensible (to most engineers). Over conservative rules techniques and the needs of embedded systems is not sur of thumb dominate(such as: always grab locks in the prising in view of the fact that interfacingto the real world same order [53]). Concurrency theory has much more has only recently begun to extend beyond keyboards and to offerthan concurrency practice, butagainit proba screens. (We should not forget that even the emphasis on bly needs adaptation for the embedded system con keyboards andscreens is relatively recent.) Computation has its roots in the transformation of data, not in the interaction with sensors, actuators, and humans. composed, methods similar to the compile-time and run-time type validation of Java need to be applied. 1.6 Real time software 1.7 Concurrency Starting when programmable DSPs [51] and microcon trollers speared in the 1970s, functionality has been Embedded systems engage the physical world. And in steadily shifting from hardware to software. This glib state the physical world, multiple things happen at once. Recon ment actually has profound consequences. What we mean by ciling the sequentiality of software and the concurrency of "software" is primarily sequential execution, where the the real world is a key challenge in the design of embedded same hardware resources are multiplexed in time to perform systems. Classical approaches to concurrency in software a variety of functions. That is, there is a single instruction (threads, processes, semaphore synchronization, monitors stream. What we mean by "hardware" is primarily parallel for mutu^ exclusion, rendezvous, and remote procedure execution, where hardware resources are not shared among calls) provide a good foundation, but are insufficient by functions (or at least, not as much). Ofcourse, there is a con themselves. Complex compositions are simply too hard to tinuum in between, with parallel execution of software and understand. multiplexing of hardware function units. Most embedded An alternative view ofconcurrency that seems much bet systems have significant hardware design as well as signifi ter suited to embedded systems is implemented in synchro cant software design, and a major part of the design space nous/reactive languages [10] such asj^terel [13], which are exploration considers the balance tetween these sequential used in safety-critical real-time applications. In Bsterel, con and parallel execution styles. currency is compiled away. Although this approach leads to The trend in embedded systems is certainly towards inte highly reliable programs, it is too static for networked grated processors that merge a variety of hard-real-time embedded systems. It requires that mutations be handled functions into a single instruction stream, towards the soft more as incremental compilation than as process scheduling, ware end ofthe continuum (see for example [77]). However, and incremental compilation for these languages proves to much work remains to be done before a single instruction be difficult. We need an approach somewhere in between stream is a viable option for the high performance functions that of Esterel and that of today's real-time operating sys such as signal processing. tems, with the safety and predictability of Esterel and the For hard-real-time functions, such as signal processing, adaptability ofa real-time operating system. concurrent tasks are often assigned distinct processors. For example the speech coders and radio modem operations in a 1.8 Requirements digital cellular telephone use processors distinct from the For embedded software, we need concurrent models of microcontroller that handles the overall control logic. Thus, computation that are easier to get right than threads, sema despite being primarily software components, the speech phores,and monitors.Weneed to make time a first-class part coders and radio modems have a hardware nature in that they of the programming exercise, and talk about the temporal require dedicated, unmultiplexed hardware resources. correctness, not just functional correctness of programs.We In theory, as the performance of embedded processors need to discard termination as a criterion for correctness (and improves, there should be less need for such hardware spe- reuse it as a criterion for incorrectness). cisjization. However, real-time operating systems are not yet This requires rethinking some concepts. The undecid- able to reliably handle many hard-real time tasks.In practice, ability of hating has been inconvenient tecause we cannot they are handled today by either dedicated hardware or by identify programs that fail to halt. Now it should be viewed processors that so greatly exceed the minimum performance as inconvenient because we cannot identify programs that capabilitiesthat failure is unlikely despite the unpredictabil fail to keep running. "Synchronization" needs to once again ity introduced by multitasking. take into account "chronos." And correcmess cannot be Before this situation can change, we have to rethink mul viewed as getting the right final answer. It has to take into titasking. First, component interface definitions need to account the timeliness of a continuing stream of partial declare temporal properties. Not just a priority, which is only answers. sufficient under the rarely applicable assumptions of rate- Embedded software design has much in common with monotonic scheduling [60][48], but they need to declare the hardware design, so perhaps there are some lessons to be dynamics (phases of execution, exception handling, modes learned by looking at hardware design. Hardware is highly of operation, and yes, also periodicity where appropriate). concurrent. Conceptually, hardware is an assemblage of Then compositions of components need to have consistent components that operate continuously or discretely in time and non-conflicting temporal properties, much as today and interact via synchronous or asynchronous communica compositions of objects need to have compatible types tion. Software is an assemblage of components that trade off where they interact. use of a CPU, operating sequentially, and communicating by One possible approach views all executing processes as leaving traces of their (past and completed) execution on a part of a single application. Since processes can come and stack or in memory. go, this single application has a dynamically changing soft A primary abstraction mechanism in software is the pro ware architecture. It may be better viewed as a dynamically cedure (or the method). Procedures are terminating computa changing application than as a set of disjoint applications tions. The primary abstraction mechanism in hardware is a with minimal interconnectedness. When components are module, such as a chip, that operates fiilly concurrently with the other components with which it is combined. These are Agha describes actors, which extend the concept of very different abstraction mechanisms. Hardware modules objects to concurrent computation [S]. Actors encapsulate a do not start, execute, complete, and return. thread of control and have interfaces for interacting with Object orientation couples procedural abstraction with other actors. The protocols used for this interface are called data to get data abstraction. Objects, however, are passive, interaction patterns, and are part of the model of computa requiring external invocation of their methods. Active tion. Agha argues that no model of concurrency can or objectsare more like an afterthought, requiring still a model should allow all communication abstractions to be directly of computation to have any useful semantics. Hardware is expressed. He describes message passing as akin to "gotos" active, more like processes than objects, but with a clear and in theirlackof structure. Instead,actorsshouldbe composed cleansemanticsthat is firmlyrootedin the physicalworld. using an interaction policy. Indeed, the synchronous abstraction that is widely used in hardware to build large, complex, and modular designs 2.1 Concurrency has more recently been applied to software [10]. Also, hard Design of networked embedded systems will require ware models are conventionallyconstructed using hardware specification and modeling techniques that support description languages such as Verilog and VHDL; these lan concurrency. In practice, concurrency seriously complicates guage realize a discrete-event model of computation that system design. No universal model of computation has yet makes time a first-class concept, information shared by all emerged for concurrent computation (although some components. Discrete-event models are sometimes used for proponentsof one approach or another will dispute this). By software systems, particularly in the contextof networking. contrast, in sequential computation, the Von Neuman model Conceptually, the distinction between hardware and soft of computation is a wildly successful universal abstraction. ware, from the perspective of computation, has only to do A key part of this success is that time is reduced to a total with the degree of concurrency and the role of time. An order ofdiscrete events, in which sequencing is sufHcient for application with a largeamountof concurrency and a heavy correctness. In distributed systems, maintaining such a total temporalcontent might as well be thought of using hardware order globally is expensive, except for very small systems. In abstractions, regardless of how it is implemented. An appli practice, events are partially ordered at best. This makes it cation that is sequential and without temporal behavior difficult to maintain a global notion of "system state," an might as well be thought of using software abstractions, essential part ofthe Von Neumann model. regardless of how it is implemented. The key problem In networked embedded systems, communication band becomes one of identifying the appropriate abstractions for width and latencies will vary over several orders of magni representing the design. tude, even within the same system design. A model of A sophisticated component technology for embedded computation that is well-suited to small latencies (e.g. the software will talk more about processes than procedures. It synchronous hypothesis used in digital circuit design, where will talk about concurrency and the models of computation computation and communication take "zero" time) is usually used to regulate interaction between components. And it will poorly suited to large latencies, and vice versa. Thus, practi talk about time. cal designs will almost certainly have to combine tech niques. 1.9 Problems not addressed It is well understood that effective design of concurrent systems requires one or more levels of abstraction above the There are a number of interesting research problems hardwaresupport.A hardware system with a sharedmemory related to embedded systems that we do not address here. model and transparent cache consistency, for example, still Human-computer interaction, for example, is a key part of requires at least one more level of abstraction in order to makingembeddedsystemspervasive and useful.Ideally, the achieve determinate distributed computation. A hardware embedded software becomes transparent, mediating a natu system based on high-speed packet-switched networks could ral and intuitive interaction with the physical world. Also, introduce a shared-memory abstraction above this hardware conflgurable hardware offers interesting opportunities and support, or it could be used directly as the basis for a higher challenges, and potentially relates stronglyto the problem of level of abstraction. Abstractions that can be used include selecting appropriate models of computation. Finally, hard the event-based model of Java Beans, semaphores based on ware and software design techniques that minimize power Dijkstra's PA^ systems [21], guarded communication [40], consumption are critical for portable devices. But I focus rendezvous, synchronous message passing, active messages here on embedded software construction, leavingfor some [84], asynchronous message passing, streams (as in K^n one else to set the agendaon these other importantproblems. process networks [45]), dataflow (commonly used in signal and image processing), synchronous/reactive systems [10], 2.0 MODELS OF COMPUTATION Linda [18], and many others. These abstractions partially or completely define a model A model of computation is the "laws of physics" of con of computation, the modular organizational and operational current components, including what they are (the ontology) principles of a system. Applications are built on a model of how they communicate and how their flows of control are computation, whether the designer is aware of this or not. related (the protocols), and whatinformation they share (the Each possibility has strengths and weaknesses. Some guar epistemology). It is their concurrent semantics. antee determinacy, some can execute in bounded memory, and some are provably free from deadlock. Different styles of concurrency are often dictated by the application, and the choiceof modelof computation can subtly affect the choice ment is to find a fixed-point, i.e., a set of functions of time of algorithms. While dataflow is a good match for signal that satisfy all the relations. processing, for example, it is a poor match for transaction- Differential equations are excellent for modeling analog based systems, control-intensive sequentialdecision making, circuits andmany physical systems. As such, theyarecertain and resource management. to play a role in embedded systems, where sensors and actu It is fairly common to support models of computation ators interact with the physical world. Embedded systems with language extensions or entirely new languages. Occam, frequently contain components that are best modeled using for example, supports synchronous message passing based differential equations, such as microelectromechanical sys on guarded communication [40]. Esterel [13], Lustre [33], tems, aeronautical systems, mechanical components, analog Signal[11],and Argos [65]supportthe synchronous/reactive circuits, and microwave circuits. These components, how model. These languages, however, have serious drawbacks. ever, interact with an electronic system that may serve as a Acceptance is slow, platforms are limited, support software controllerand a recipient of sensordata.This electronic sys is limited, and legacy code must be translated or entirely tem may be digital, in which case there is a fundamental mis rewritten. match in models of computation. Joint modeling of a An alternative approach, is to explicitly use models of continuous subsystem with digital electronics is known as computation for coordination of modular programs written mixed signal modeling. in standard, more widely used languages. In other words, Differential equations form the model of computation one can decouple the choice of programming language from used in Simulink, Saber, and VHDL-AMS, and are closely the choice of model of computation. This also enables mix related to that in Spice circuit simulators. ing such standard languages in order to maximally leverage their strengths. Thus, for example, a networked embedded 2.2.2 Difference equations application could be described as an interconnection of mod ules, where modules are written in some combination of C, Differential equationscan be discretized to get difference Java, and VHDL. Use of these languages permitsexploiting equations, a commonly usedmodel of computation in digital their strengths. For example, VHDL provides FPGA target signalprocessing. This modelof computation can be further ing for reconrigurable hardware implementations. Java, in generalized to support multirate difference equations. In theory, providesportability, migratability, and a certain mea either case, a global clock defines the discrete points at sure ofsecurity. which signals have values (at the ticks). The interaction between modules could follow any of Difference equations are considerably easier to imple several principles,e.g., those of Kahn process networks [45]. mentin softwarethan differential equations.Their key weak This abstraction provides a robust interaction layer with nesses are the global synchronization implied by the clock, looselysynchronized communication and support for muta and the awkwardness of specifyingirregularly timed events ble systems (in which subsystems come and go). It is not and control logic. directlybuiltintoany of the underlying languages, but rather interacts with them as anapplication interface. Theprogram 2.2.3 Finite-state machines mer uses them as a design pattern [26] rather than as a lan guage feature. Larger applications may mix more than one In FSMs, bubbles represent systemstate and arcs repre model of computation. For example, the interaction of mod sent state transitions. The simple FSM model of computa ules in a real-time, safety-critical subsystem might follow tion is not concurrent. Execution is a strictly ordered the synchronous/reactive model of computation, while the sequence of state transitions. Transition systems are a more interaction of this subsystem with other subsystems follows general version, in that a given bubble may represent more a process networks model. Thus, domain-specific than one system state (and there may be an infinite number of bubbles). approaches can be combined. FSM models are excellentfor controllogicin embedded 2.2 Examples of models of computation systems, particularly safety-critical systems. FSM models are amenable to in-depth formal analysis, using for example There are a rich variety of models of computation that model checking, and thus can be used to avoid surprising deal withconcurrency and timein different ways.In thissec tion, we outline some of the most useful models for embed ded systems. All of these will lend a semantics to the same bubble-and-arc, or block-and-arrow diagramshownin figure 1. The bubbles are components and the arcs between them are their interconnections. The diagram suggests an episte- mology where A knows about C but not about B.

2.2.1 Differential equations One possiblesemanticsfor the syntax in figure 1 is that of differential equations. The arcs represent continuous func tions of a continuum (time).The bubbles represent relations Figure 1. A single syntax (bubble-and-arc or block-and-arrow between these functions. The job of an execution environ diagram) can have a number of possible semantics. behavior. Moreover, FSMs are easily mappedto either hard ferential equations, and difference equations, there is a glo ware or software implementations. bally consistent notion oftime. FSM modelshave a numberof key weaknesses. First, at DE models are excellent descriptions of concurrent hard a very fundamental level, they are not as expressive as the ware, although increasingly the globally consistent notion of other models of computation described here. They are not time is problematic. In particular, it over-specifies (or over- sufficiently rich to describe all partiallyrecursive functions. models) systems where maintaining such a globally consis However, this weakness is acceptable in light of the formal tent notion is difficult, including large VLSI chips with high analysis that becomes possible. Many questions about clockrates,and networked distributed systems. A key weak designs are decidable for FSMs and undecidable for other ness is that it is relatively expensive to implement in soft models of computation. Another key weakness is that the ware, as evidenced by the relatively slow simulators. number of statescan get verylargeeven in the face of only modestcomplexity. This makesthe modelsunwieldy. 2.2.6 Cycle-driven models The latter problem can oftenbe solvedby usingFSMsin combination with concurrent models of computation. This Somesystemswith timed eventsare driven primarily by was first noted by Harel, who introduced the Statecharts for clocks,signalswitheventsthat are repeatedindefinitely with malism. Statechaits combinea looseversion of synchronous/ a Exed time interval. Although discrete-event modeling for reactive modeling (described below) with FSMs [34]. State- suchsystems is possible, it is costly, primarily due to the pri charts have been adopted by UMLfor modeling the dynam ority queue that sorts events chronologically. Cycle driven ics of software [24]. FSMs have also been combined with models associate components with clocks and stimulate differential equations, yielding the so-called hybrid systems computations regularly according to the clock ticks. This can model of computation [39]. lead to considerably more efficient execution. FSMs can be hierarchically combined with a huge vari In the Scenic system [59], for example, the components ety of concurrent models of computation. We call the result are processes that run indefinitely, stall to wait for clock ing formalism "*charts" (pronounced"starcharts") where the ticks,or stall to waitfor some conditionon the inputs (which star represents a wildcard [29]. Thus, they present a promis are synchronous with clock ticks). Scenic also includes a ing modelthat is capableof abstracting program dynamics. clever mechanism for modeling preemption, an important feature of many embedded systems. Scenic has evolved into the SystemCspecification for system-level hardware design 2.2.4 Synchronous/reactive models (see http://systemc.org). In the synchronous/reactive (SR) model of computation [10],the arcs representdata valuesthat are aligned with glo 2.2.7 Synchronous message passing bal clock ticks. Thus, they are discrete signals,as with differ ence equations, but unlike difference equations, a signal In synchronous message passing, the components are neednot havea valueat everyclocktick.The bubbles repre processes, and processes communicate in atomic, instanta sent relations between input and output values at each tick, neous actions called rendezvous. If two processes are to and are usually partial functions with certain technical communicate, and one reaches the point first at which it is restrictions to ensure determinacy. Examples of languages ready to communicate,then it stalls until the other process is that use the SR model of computation include Esterel [13], ready to communicate. "Atomic" means that the two pro Signal [11],Lustre [19], and Argos [65]. Argos is a cleaner cesses are simultaneously involved in the exchange, and that version of Statecharts that assumes SR concurrency seman the exchange is initiated and completed in a single uninter- ruptable step. Examples of rendezvous models include tics. Hoare's communicatingsequentialprocesses (CSP) [40] and SR models are excellent for applications with concurrent Milner's calculus of communicating systems (CCS) [68]. and complexcontrollogic.Becauseof the tight synchroniza This model of computation has been realized in a number of tion, safety-critical real-time applications are a good match. concurrent programming languages, including Lotos and However, also because of the tight synchronization, some Occam. applications are overspecified in the SR model, which thus limits the implementation alternatives and makes distributed Rendezvous models are particularly well-matched to systems difficult to model. Moreover, in most realizations, applications where resource sharing is a key element, such as modularity is compromised by the need to seek a global client-serverdatabase models and multitaskingor multiplex fixed point at each clock tick. ing of hardware resources. A key weakness of rendezvous- based models is that maintaining determinacy can be diffi cult. Proponents of the approach, of course, cite the ability to 2.2.5 Discrete-event models model nondeterminacy as a key strength. In discrete-event (DE) models of computation, the arcs represent sets ofevents placed in time. An event consists of a 2.2.8 Asynchronous message passing valueand timestamp.This model of computation is popular for specifying hardware and simulating telecommunications In asynchronous message passing, processes communi systems, and has been realized in a large number of simula cate by sending messages through channels that can buffer tion environments, simulation languages, and hardware the messages. The sender of the message need not wait for description languages, including VHDLand Verilog. Unlike the receiver to be ready to receive the message. There are the SR model, there is no global clock tick, but like SR, dif several variants of this technique, but I focus on those that ensure determinate computation, namely Kahn process net ontopof a netwoik-based distributed component technology works [45] and dataflow models. calledJini [85]. A more elementary version can be foundin In a process network (PN) model of computation, the the CORBA Event Service API. arcs represent sequences of data values (tokens), and the The PS model of computation is well-suited to highly bubbles represent functions that map input sequences into irregular, untimed communications. By"irregular" we mean output sequences. Certain technical restrictions on these both in time (sporadic) andin space (the publisher need not functions arenecessary to ensure determinacy, meaning that know who the subscribers are, and they can be constantly the sequences are fully specified. Dataflow models, popular changing). Schmidt has extended the CORBA Event Service in signal processing, are a special case of process networks with notions of time (atthe level ofstandard real-time oper [57]. Dataflowmodelsare also closelyrelated to functional atingsystems), making themodel particularly well suited for programming, although stylistically the two often lookvery coordinating loosely coupled embedded components [79]. different. PN models are excellent for signal processing. They are 2.2.11 Unstructured events loosely coupled, and hence relatively easy to parallelize or distribute. Theycanbe implemented efficiently in bothsoft TheJavaBeans, COM, and CORBA frameworks allpro ware and hardware, andhence leave implementation options vide a very loose model of computation that is based on open. A key weakness of PN models is that they are awk method calls with no particularcontrol on the order in which ward for specifyingcontrol logic. method calls occur. This is a highly flexible model of com putation, and forms a good foundation for more restricted Several special cases of PN are useful in certain circum models of computation (such as theCORBA Event Service). stances. Dataflow models construct processes of a process It hasa key advantage that since no synchronization is built network as sequences of atomic actorfirings. Synchronous in, then unsynchronized interactions can be easily imple dataflow (SDF) is a particularly restricted special case with mented with no risk of deadlock. A major disadvantage, the extremely useful property that deadlock and bounded- however, is that if synchronization is required, for example ness are decidable [47][52][54][55]. Boolean dataflow to enforce dataprecedences, thentheprogrammer mustbuild (BDF) is a generalization that sometimes yields to deadlock up the mechanisms from scratch, and maintaining determi and boundedness analysis, although fundamentally these nacy and avoiding deadlock become difficult. questions remain undecidable [16]. Dynamic dataflow (DDF) uses only run-time analysis, and thus makes no 2.3 Choosing models of computation attempt to statically answer questions about deadlock and boundedness [42][46][71]. The rich variety of concurrent models of computation outlined abovecanbe daunting to a designer faced withhav 2.2.9 Timed CSP and timed PN ing to select them. Most designers today do not face this choice because they get exposed to onlyoneor two. This is CSP and PN both involve threads that communicate via changing, however, as the level of abstraction and domain- message passing, synchronously in the former case and specificity of design practice both rise. We expect that asynchronously in the latter. Neither model intrinsically sophisticated and highly visual user interfaces will be needed includes a notion of time, which can make it difficult to to enable designers to cope withthis heterogeneity. interoperate with models that do include a notion of time. In • fact, message events are partially ordered, rather than totally An essential difference between concurrent models of ordered as theywould be were theyplaced on a timeline. computation is their modeling of time. Some are very explicit by taking time to be a real number that advances uni Both models of computation can be augmented with a formly, and placing events ona time line orevolving contin notion of time to promote interoperability and to directly uous signals along the time line. Others are more abstract model temporal properties (see for example [74]). In the and take time to be discrete. Others are still more abstract Pamela system [82], threads assume that time does not and take time tobemerely a constraint imposed bycausality. advance while they are active, but can advance when they This latter interpretation results in time that is partially stall on inputs, outputs, or explicitly indicate that time can ordered, andexplains much of theexpressiveness in process advance. By this vehicle, additional constraints are imposed networks andrendezvous-based models ofcomputation. Par on theorderof events, anddeterminate interoperability with tially ordered time provides a mathematical framework for timed models of computation becomes possible. This mech formally analyzing and comparing models of computation anism has the potential of supporting low-latency feedback [58]. and configurable hardware. Many researchers have thoughtdeeplyaboutthe role of time in computation. Benveniste et al, observe that in certain 2.2.10 Publish and subscribe classes of systems, "the nature of time is by no means The publish and subscribe (PS) model of computation universal, but rather local to each subsystem, and uses notification of events as the primary means of interac consequently multiform" [11]. Lamport observes that a tionbetween components. A component declares an interest coordinated notionof time cannot.be exactly maintained in in a family of events (subscribes), and another component distributed systems, and shows that a partial ordering is asserts events (publishes). Some of the more sophisticated sufficient [50]. He givesa mechanism in which messages in realizations of this principle are based on Linda [6][18], for an asynchronous system carry time stamps and processes example JavaSpaces from Sun Microsystems, which is built manipulate these time stamps. We can then talk about processes having information or knowledge at a consistent cut, rather than "simultaneously". Fidge gives a related These visual depictions offer an alternative syntax to mechanism in which processes that can fork and join associate with the semantics of a model of computation. increment a counter on each event [25]. A partial ordering Visual syntaxes can be every bit as precise and complete as relationship between these lists of times is determined by textualsyntaxes, particularlywhen they are judiciously com process creation, destruction, and communication. If the bined with textual syntaxes. number of processes is fixed ahead of time, then Mattem Visualrepresentations of modelshave a mixedhistory. In gives a more efficient implementation by using "vector circuitdesign,schematic diagrams used to be routinely used time"[67].Allof this workoffersideasfor modeling time. to capture all of the essential information needed to imple How can we reconcile this multiplicity of views? A ment some systems. Schematics are often replaced today by grand uniHed approach to modeling would seek a concurrent text in hardware description languages such as VHDL or model of computationthat serves all purposes.This could be Verilog. In other contexts, visual representations have accomplished by creating a melange, a mixture of all of the largely failed, for example flowcharts for capturing the above, but such a mixture would be extremely complex and behavior of software. Recently, a number of innovative difficult to use, and synthesis and validation tools would be visual formalisms have been garnering support, including difficult to design. visual dataflow, hierarchical concurrent finite state Another alternative would be to choose one concurrent machines, and object models. The UML visual languagefor model of computation, say the rendezvous model, and show object modeling, for example, has been receiving a great that all the others are subsumed as special cases. This is rela deal of attention [24]. tivelyeasy to do, in theory. Most of these models of compu A subset of visual languages that are recognizable as tation are sufficiently expressive to be able to subsume most "block diagrams" represent concurrent systems in domain- of the others. However, this fails to acknowledge the specific ways. There are many possible concurrency seman strengths and weaknesses of each model of computation. tics (and many possible models of computation) associated Process networks, for instance, are very good at describing with such diagrams. Formalizing the semantics is essential if the data dependencies in a signal processing system, but not these diagrams are to be used for embeddedsystem specifi as good at describing the associated control logic and cation and design. resource allocation. Finite-state machines are good at model ing at leastsimplecontrollogic,but inadequate for modeling data dependencies in numeric computation. Rendezvous- 3.0 REALTIME based models are good for resource management, but they overspecify data dependencies. Thus, to design interesting Virtually all embedded systems, as well as many systems, designers need to use heterogeneous models. emerging applications of desktop computers, involve real time computations. Some of these have hard deadlines, Certain architecture description languages (ADLs), such typically involving streaming data and signal processing. as Wright [8] and Rapide [62], define a model of computa Examples include communication subsystems, sensor and tion. The models are intended for describingthe rich sorts of actuator interfaces, audio and speech processing subsystems, component interactions that commonly arise in software and video subsystems. Many of these require not just real architecture. Indeed, such descriptions often yield good time throughput,but also low latency. insights about design. But sometimes, the match is poor. In general-purpose computers, these tasks have been his Wright, for example, which is based on CSP, does not cleanly describe asynchronous message passing (it requires torically delegated to specialized hardware, such as Sound giving detailed descriptions of the mechanisms of message Blaster cards, video cards, and modems. In embedded systems, these tasks typically compete for resources. As passing). I believe that what we really want are architecture design languages rather than architecture description lan embedded systems become networked, the situation gets much more complicated, because the combination of tasks guages. That is, their focus should not be on describing cur competing for resources is not known at design time. rent practice, but rather on improving future practice. Wright, therefore, with its strong commitment to CSP, Some such embedded systems incorporate a real-time should not be concerned with whether it cleanly models operating system, which in addition to standard operating asynchronous message passing. It should intend take the system services such as I/O, offers specialized scheduling stand that asynchronous message passing is a bad idea for services tuned to real-time needs. The schedules might be the designs it addresses! based on priorities, using for example the principlesof rate- monotonic scheduling [60][48], or on deadlines. There 2.4 Visual syntaxes and visualizing dynamics remains much work to be done to improve the match between the assumptions of the schedulingprinciple(suchas A major part of designing robust networked embedded periodicity, in the case of rate-monotonic scheduling) and systems will be ensuring that the designers understand their the realities of embedded systems. Because the match is not behavior. Achieving this understanding in the face of always good today, many real-time embedded systems mutating software architecture, concurrency, and real time contain hand-built, specialized microkernels for task will be difficult. Visualdepictions of systems have always scheduling. Such microkernels, however, are rarely held a strong human appeal, making them extremely sufficiently flexible to accommodate networked effective in conveying information abouta design. Many of applications, and as the complexity of embedded the models of computation described above can use such applications grows, they will be increasingly difficult to depictions to completelyand formallyspecify models. design. The issues are not simple. 3.1 Reactive Systems two,exceptin trivialcases.A chronicproblemwith priority- based scheduling, known as priority inversion,is one mani Reactive systems are thosethatreactcontinuously to their festation of this problem. environment at the speed of the environment. Hare! and Pnueli [36] and Berry [12] contrast them with interactive Priority inversion occurs when processes interact, for systems, which react with the environment at their own example by entering a monitor to obtain exclusive access to speed, and transformational systems, which simply take a a shared resource. Suppose that a low priority process has body of input data and transform it into a body of output access to the resource,and is preemptedby a mediumprior data. Reactive systems have real-time constraints, and are ity process. Then a high priority process preempts the irequently safety-critical, to the point that failures could medium priority process and attempts to gain access to the resultin lossof humanlife.Unlike transformational systems, resource. It is blocked by the low priority process, but the reactive systems typicallydo not terminate (unless they fail). low priorityprocessis blockedby the presenceof an execut able process with higher priority, the medium priority pro Robust distributed networked reactive systems must be cess. By this mechanism, the high priority process is capable of adapting to changing conditions. Service effectively blocked by the medium priorityprocess. demands, computing resources, and sensors may appearand disappear. Quality of service demands maychange as condi Althoughthere are ways to preventpriorityinversion, the tions change. The system is therefore continuously being problem is symptomatic of a deeper f^ailure. In a priority- redesigned while it operates, and all the while it must not based scheduling scheme, processes interact both through fail. the scheduler and through the mutual exclusion mechanism A number of techniques have emerged to provide more (monitors) supported by the framework. These two interac tion mechanisms together, however, have no coherent com robust support for reactive system design than what is pro vided by real-time operating systems. The synchronous lan positional semantics. It seemslike a fruitful research goalto guages, such as Esterel [13], Lustre [33], Signal [11], and seek a better mechanism. Argos [65], are reactive, have been used for applications where validation is important, such as safety-critical control 4.0 COMPONENT INTERFACES systems in aircraft and nuclear power plants. Lustre, for example, is used by Schneider Electric and Aerospatiale in A properagendafor research should detail somespeciHc France,and Esterelis used by Dasa. Use of these languages promising directions, some for the near term and some more is rapidly spreading in the automotive industry, and support speculative. On the morespeculative side, I believethat type for them is beginning to appear on commercial EDA (elec system concepts can be extended to drastically change the tronic design automation) software. design of concurrent components in a real-time context. At Most of these uses of synchronous languages have only its root, a typesystem constrains whata component cansay needed fairly small-scale monolithic programs, although about its interface, and how compatibility is ensured when there have been investigations into distributed versions. For components are composed. Ma^ematically, type system example, extensions to Esterel support processes that do not methods dependon a partialorderof types,typically deflned obey the synchronous hypothesis [14]. Processes communi by a subtyping relation or by lossless conveitibility. They cate via channels with rendezvous. This has been subse can be built from the robust mathematics of partial orders, quentlyextended to add process suspension and resumption. leveraging for example fixed-point theorems to ensure con vergence of type checking, type resolution, and type infer These languages manageconcurrency in a very different ence algorithms. way than that found in real-time operating systems. Their mechanism makesmuchheavier use of static(compile-time) ^^^th this veiy broad interpretation of type systems, all analysis of concurrency to guarantee behavior. However, we need is that the properties of an interface be given as ele compile-time analysis of concurrency has a serious draw ments of a partialorder, preferably a complete partial order back: it compromises modularity and precludes adaptive (CPO) or a lattice [80]. I suggest first that dynamic proper software architectures. ties of an interface, such as the protocols used by a compo nent to interact with other components, can be described 3.2 Scheduling using nondeterministic automata, and that the pertinent par tial ordering relation is the simulation relation between Although scheduling is an old topic, it is certainly not automata. I also speculate that various timed automata exten played out. A real-time schedulerprovidessome assurances sions can perhaps be used in similar ways to define much given certain properties of the components, such as the more completely the temporal properties ofan interface than period of their periodic invocation, or the deadlines associ what is common practice today. ated with certain tasks. Rate monotonic scheduling princi ples [60][48] translate the first of these into priorities. 4.1 Strongly typed languages Priorities may also be given based on semantic information about the application, for example reflecting the criticality Type systems in modem languages serve to promote safety through static (compile time) and dynamic (run time) with which some event must be dealt with. checking. In a computation environment, two kinds of run A key problem in scheduling is that most methods are not time errors can occur, trapped errors and untrappederrors. compositional. That is, even if assurances can be provided Trappederrorscause the computation to stopimmediately. A individually to a pair of components, there are no systematic run-time handler can attempt to recover gracefully. mechanismsfor providing assurances to the aggregate of the Untrapped errors, which may go unnoticed (for a while) and

10 later cause arbitrary behavior, can be disastrous for an grams. However, with networked embedded systems where embedded system. Moreover, they are less likely to be parallel execution, agents, migrating code, and software detected in testing. Examplesof untrapped errors in many upgrades are all possibilities, static type checking does not generalpurposelanguagesarejumping to the wrongaddress, do enough. Some of the type checking must be done at nm or accessing data past the end of an array. time. Java's run-time type identification (RTTI) system Strongly typedlanguages help prevent both trapped and together with its reflection package specifically addresses untrapped errors. Many errors are detected at compile time, this problem by supporting run-time queries of type con andrun-time support forthetypesystem canhelpensure that straints and run-time verificationof type compatibility. theremaining errors aretrapped. This helps prevent arbitrary Type systems in modem programming languages, how behavior, but it only deals with certain aspects of program ever,do not go far enough.Manyerrorsthat in principlemay behavior. Moreover, run-time support for the type system, be detectable at compile time are not within the scope of the which can be provided systematic^ly through preconditions type system. Several researchers have proposed extending and contracts, may incur substantial overhead. the type system to handle such errors as array bounds over- Modem languages, such as Java and ML, emphasize mns, which are traditionally left to the run-time system [87]. avoiding untrapped errors. There is significant run-time But many are still not dealt with.For example,the communi overhead inciured in the required safety checks. Several cation protocols between concurrent processes are not type researchers have shown that in many cases, this overhead checked. Yetfailures in concurrencyand synchronizationare can be eliminated through compile-time analysis (see for common causes of critical system failures in embedded sys example [87]). The approachis to augmentthe type system tems. to include such properties as array size, and then to annotate the generated code with assertions of safety. A mn-time 4.2 Process-level type systems environment can thus bypass the safety checks. Ousterhout [70] argues that strong typing compromises The first-order mechanism for assurance is that the designer understand the system. But generally the designer modularity and discourages reuse. needs a great deal of help. Object-oriented programming, for *Typing encourages programmers to create a vari example, helps a designer understand the static structure of a ety of incompatible interfaces, each interface software architecture by providing syntactic features of the requires objects of specific type and the compiler language supporting object-oriented design, and by prevents any other types of objects from being used providing a compiler that checks types. I suggest that with the interface, even ifthat would be useful." extended types that include dynamic properties of an Thealternative headvocates is languages without strongtyp interface will require novel syntactic language support as ing, such as Lisp and Tel, where safety can only be achieved well as new compiler and run-time techniques. by extensive run-time checking. However, since type check The best parts of UML (especially the static structure ing is postponed to the last possible moment, the system diagrams) are those that are directly supported by the lan does not have fail-stop behavior, so a system may exhibit guage syntaxes used by designers (especially C++ and Java). erroneous behavioronly after runningfor an extended period The syntactic structure of a program directly reflects the of time after the error has occurred.Identifyingthe sourceof object model, and the compiler assures consistency in the the problem can be difficult, and guaranteeing the code may model. The weakest parts of UML (especially its variant of be impossible. Statecharts for state diagrams and its modeling of concur Ousterhout raises a valid point, but the solution is not to rency) are those with no syntactic support in the widely used discard strong typing. Particularly for embedded systems, languages. Few tools are available for ensuring consistency the extra degree of safety offered by strong typing over between programs and their models and for validating the whelms even the desire for modularity and reuse. How can models. Perhaps eventually code generation from these mod we achieve modularity and reuse without discarding strong els will ameliorate this, although this really amounts to typing? One solution is to use polymorphism, reflection, and defining new languages with graphical syntaxes, a non-triv run-time type inference and type checking. ial challenge. Strong typing and type resolution have other benefits in Extended type systems could, in principle, capture the addition to the ones mentioned above.Strongtypinghelpsto following aspects of a system; clarify the interfaces of components and makes libraries • protocols for communication between processes (e.g. more manageable. Just as typing may improve run-time effi rendezvous, asynchronous message passing, streams, ciency in a general-purpose language by allowing the com events); piler to generate speci^ized code, type information can be • models of time (e.g. a continuum, discrete, clocked, used for efficient synthesis of embedded hardware and soft ware configurations. For example, if the type checker asserts partially ordered); and that a certain polymorphiccomponentwill only receive inte • flow of control (e.g. synchronous, scheduled firings, gers, and that component is to be implemented in config process scheduling, real-time). urable hardware, then only hardware dealing with integers needs to be synthesized. This can be done without modifying the underlying lan guages, but rather by overlaying on standard languages In general-purpose strongly-typed languages, such as design patterns that make these types explicit. These will be C++andJava,statictypechecldng doneby the compiler can polymorphic, offering a systematic approach to tolerant find a large fraction of program errors in object-oriented pro interfaces. A key part of the research here is to identify the

11 syntactic languagesupport for such types. in a real-time context. Esterel is a notable one of these[13]. Note that there is considerable precedent for such aug Esterel compilers synthesize run-time algorithms that con mentations of the type system. For example, Lucassen and vergeto a frxed pointat eachclock of a synchronous system Gifford introduce state intofunctions using the type system [11]. Such synthesis requires detailed static information to declare whether functions are free of side effects [61]. aboutthe structure of the application, but methods havebeen Martin-Lof introduces dependent types, in which types are demonstrated that use lessstaticinformation [23]. Although indexed by terms [66]. Xi uses dependent types to augment these techniques have not been proposed primarily in the the typesystem to include array sizes, anduses typeresolu contextof a type system,I believethey can adapted. tion to annotate programs that do not need dynamic array bounds checking [87]. The technique uses singleton types 4.4 Reflecting program dynamics instead of general terms [38] to help avoid undecidability. While much of the fundamental work has been developed Object-oriented programming promises software using functional languages (especially ML), there is no rea modularization, but has not completely delivered. The type son that I can see that it cannot be applied to more widely system captures only static, structural aspects of software. It accepted languages. says little about the state trajectory of a program (its Another innovative use of type systems is that of Necula, dynamics) and about its concurrency. Nonetheless, it has who describes the use of proof-carrying code [69]. Here, a provedextremely useful, and through the use of reflection, is able to support distributed systems and mobile code. program includes withit a proofof validity or compliance to some requirement, such as safety. If the code type checks, Reflection, as applied in software, can be viewed as hav thenit is valid. This is usedprimarily for security. The main ing an on-line model of the software within the software drawback appears to be in the difficulty of constructing the itself. In Java forexample, this is applied in a simple way. proofs. We mayfacea similar drawback in our useof depen The static structure of objects is visible through the Class dent types for capturing real-time properties in that con class and the classes in the reflection package, which structingthe real-time properties mayprovedifficult. includes Method, Constructor, and various others. These classes allow Java code to dynamically query objects for 4.3 On-line type system their methods, determine on-the-fly the arguments of the methods, and construct calls to those methods. Reflection is Static support for type systems give the compiler an integral part of Java Beans, mobile code, and CORBA responsibilityfor the robusmess of software [17]. This is not support. It provides a run-time environment with the facili adequate when the software architecture is dynamic. The tiesforstitching together components with relatively intoler software needs to take responsibility for its own robustness ant interfaces. [49]. This means that algorithms that support thetype system However, static structure is not enough. The interfaces need to be adapted to be practically executable at run time. between components involve more than method templates, ML is an early and well known realization of a "modern including such properties as communication protocols. To type system" [31][81][86].It was the first language to use get adaptive software in the context of real-time applica type inference in an integrated way [41], where the types of tions, it willalsobe important to reflectprogram state.Thus, variables are not declared, but are rather inferred from how we need reflectionon the program dynamics. they areused. Thecompile-time algorithms here areelegant, The firstquestion becomes at whatgranularity to do this. but it is not clear to me whether run-time adaptations are Reflection intrinsically refers toa particular abstracted repre practical. sentation of a program. E.g., in the case of static structure, Many modem languages, including Java and C++, use Java's reflection package does not include finer granularity declaredtypes rather than type inference, but their extensive thanmethods, norcoarser granularity thanobjects. useof polymorphism stillimplies a need for fairly sophisti cated type checking and type resolution. Type resolution Process-level reflection could include two critical facets, allows forautomatic (lossless) type conversions andforopti communication protocols and process state. The former mized run-time code, where theoverhead of latebinding can would capture in a type system such properties as whether be avoided. the process uses rendezvous, streams, or events to communi cation with other processes. By contrast,Java Beans detines Type inference and type checkingcan be reformulated as this property universally to all applications using Java the problem of frnding the fixed point of a monotonic func Beans.TTiat is, the eventmodelis the only interaction mech tionon a.lattice, an approach due to DanaScott [78].The lat anism available. If a component needs rendezvous, it must tice describes a partial order of types, where the ordering implement that on top of events, and the type system pro relationship is thesubtype relation. Forexample. Double is a videsno mechanism for the component to assertthatit needs subtypeof Numberin Java. A typicalimplementation refor rendezvous. For thisreason, JavaBeans seemunlikely to be mulates the fixed point problem as the solutionof a system very useful in applications that need stronger synchroniza of inequalities [68]. Reasonably efficient algorithms have tion between processes, and thus it is unlikely to be used been identified forsolving these systems ofinequalities [75], much beyond user interface design. although these algorithms are still primarily viewed as part of a compiler, andnot partof a run-time system. Reflecting process state could be done with an automaton that simulates the program. (We use the term "simulates" in Iteration to a fixed point, at firstglance, seemstoocostly thetechnical sense of automata theory.) Thatis, a component for on-line real-time computation. However, there are sev or its run-time environment can access the "state" of a erallanguages based onsuchiteration thatare used primarily process (much as an object accesses its own static structure

12 inJava), butthat state is notthe detailed state of theprocess, storage management, and specialization of components for but rather the state of a carefully chosen automaton that efficient execution. Because it outlives all application com simulatesthe application. Designingthat automaton is then ponents, it provides a convenient place to reflect aspects of similar(conceptually) to designing the static structureof an the application that transcend a single component or aggre object-oriented program, but represents dynamics instead of gate of closely related components. static structure. Just as we have object-oriented languages to help us develop object oriented programs, we would need state- 5.0 FRAMEWORK FRAMEWORKS oriented languages to help us develop the reflection In order to obtain certain benefits, frameworks impose automaton. These could be based on Statecharts, but would be closer in spirit to UML's state diagramsin that it would constraints. As a rule, stronger benefits come at the expense not be intended to capture all aspects of behavior. This is of stronger constraints. Thus, frameworks may become analogous to the object model of a program, whichdoes not rather specialized as they seek these benefits. capture all aspects of the program structure (associations The drawback with specialized frameworks is that they betweenobjects are only weaklydescribedin UMUs static are unlikely to solve all the framework problems for any structure diagrams). Analogous to object-oriented languages, complex system. To avoid giving up the benefits of special which are primarily syntactic overlays on imperative ized frameworks, designers of these complex systems will languages, a state-oriented language would be a syntactic haveto mix frameworks heterogeneously. overlayon an object-oriented language. The syntax could be There are several ways to mix frameworks. One is graphical, as is now becoming popular with object models through specialization (an^ogous to subtyping) where one (especially UML). framework is simply a more restricted version of another. Well-chosen reflection automata would add value in a For example, a Unix application that involves multiple pro numberof ways. First, an applicationmay be asked, via the cesses might use pipes in situations where the benefits of network, or basedon sensordata,to makesomechangein its pipesare desired. But it might not always use pipes, or not functionality. Howcan it tell whetherthat change is safe? use pipes throughout the application. The subsystem that The change may be safe when it is in certain states, and not uses pipes, ideally, is assured the benefits of pipes, such as safe in other states. It would query its reflection automaton, freedom from deadlock. The rest of the system has no such or the reflection automaton of some gatekeeperobject, to assurance. determine howto react. Thiscould be particularly important A second way to mix frameworks is hierarchically. A in real-time applications. Second, reflection automata could component in one framework is actually an aggregate of provide a basisforverification viasuchtechniques as model components in another. This is the approach taken in the checking. Ptolemy project [20]. The challenge here is to avoid having This complements what object-oriented languagesoffer. to design each pairwise hierarchical combination of frame Theirobjectmodel indicates safety of a change withrespect works. to data layout. But they provide no mechanism for determining safetybasedon the state of the program. The approach we take in the Ptolemy project is to use a When a reflection automaton is combined with system-level type concept that we call domain polymor concurrency, we get something akin to Statechart's phism. In Ptolemysoftware,a model of computation is real concurrent, hierarchical FSMs, but with a twist. In ized by a software infrastructure called a domain. A Statecharts, the concurrency model is fixed. Here, any componentthat is domainpolymorphic is one that can oper concurrency model can be used. We call this generalization ate in a number of domains. The objective is that the inter "♦charts," pronounced "starcharts", where thestarrepresents face exposed by an aggregate of components in a domain is a wildcard suggesting the flexibility in concurrency models itself domain polymorphic, and thus the aggregate can be [29]. Some variations of Statecharts support concurrency used in any ofseveral other domains with clear semantics. using models that are different from those in the original Initially, we constructed domain polymorphic compo Statecharts [651[83]. As with Statecharts, concurrent nents in an ad hoc fashion, using intuition to define an inter composition of reflection automata provides the benefit of face that was as unspecific as possible. More recently we compact representation of a product automaton that havebeencharacterizing these interfaces usingnondetermin- potentially has a very large number of states. In this sense, istic automata to given precisely the assumptions and aggregates of components remain components where the requirements of the interface.The services provided by each reflection automaton of the aggregate is the product domain are also characterized by automata. A component automaton of the components. But the product automaton can operate within a domain if its interface automata simu never needs to be explicitly represented. late those of the domain. Ideally, reflection automata would also inherit cleanly. A few other research projects have also heterogeneously For example, a component that derives from another inherits combined models of computation. The Gravity system and its automaton and refinesthe statesof the automaton(similar its visual editor Orbit, like Ptolemy, provide a framework to the hierarchy, or "or" states in Statecharts). framework, one that mixes modeling techniques heteroge In addition to application components being reflective, it neously [2]. A model in a domain is called a facet, and heter will probably be beneficial for components in the run-time ogeneous models are multi-facetted designs [7]. Jourdan et environment to be reflective. The run-time environment is at. have proposed a combination of Argos, a hierarchical whatever portion of the system outlives all application com finite-state machine language, with Lustre [33], which has a ponents. It provides such services as process scheduling. more dataflow flavor, albeit still within a synchronous/reac-

13 live concurrency framework [44]. Another interesting inte [10] A.Benveniste and G.Berry, "The Synchronous Approach to gration of diverse semantic models is done in Statemate [35], Reactive andReal-Time Systems," Proceedings of the IEEE, which combines activity charts with statecharts. This sort of vol.79, no. 9,1991, pp. 1270-1282. integration has more recently become part of UML. The activity chartshave someof the flavorof a process network. [11] A. Benveniste and P. Le Gueraic, "Hybrid Dynamical Sys tems Theory and the SIGNAL Language," IEEE Trans, on Automatic Control, vol.35,no.5, pp.525-546, May 1990. 6.0 ACKNOWLEDGEMENTS [12] G. Berry, "Real Time programming: Special purpose or gen The contents of this paperare strongly influenced by the eral purpose languages," in Information Processing, Ed. G. St.John Workshop onSoftware Developmentfor thePost-PC Ritter, ElsevierSciencePublishers B.V. (NorthHolland), vol. World, December, 1999, and the St. Thomas Workshop on 89, pp. 11-17,1989. Software Behavior Description, December, 1998. Particular [13] G. Berry and G. Gonthier, "The Esterel synchronous pro thanks to Cordell Green, Tom Henzinger, Paul Hudak, Gre- gramming language: Design, semantics, implementation," gor Kiczales, Bob Laddaga, Bill Mark, John Mitchell, Bill Science of Computer Programming, vol. 19, no. 2, pp. 87- Scherlis, \^ctoria Stavridou and Janos Sztipanovits, and to 152,1992. Bultler Lampson for asking the right hard questions. Many of the technical ideas are drawn from the Ptolemy Project [14] G.Berry, A. Ramesh, R. K. Shyamasundar, "Communicating (http://ptolemy.eecs.berkeley.edu), and have been particu Reactive Processes," 20thACM Symp. on Principles of Pro larly influenced by Shuvra Bhattacharyya, Joe Buck, John grammingLanguages,Charleston, Januaiy 1993. Davis, Steven Edwards, Soonhoi Ha, Christopher Hylands, [15] S. S. Bhattacharyya, P. K. Murthy and E. A. Lee, Software Bart Kienhuis, BilungLee, Jie Liu, Praveen Murthy, Steve Synthesisfrom Dataflow Graphs, KluwerAcademic Publish Neuendorffer, John Reekie, Kees Vissers, and Yuhong ers, Norwell, Mass, 1996. Xiong. [16] J. T. Buck, Scheduling Dynamic Dataflow Graphs with Bounded Memory Using theToken Flow Model, Tech. Report REFERENCES UCB/ERL 93/69, Ph.D.Dissertation, Dept. of EECS, Univer sity of California, Berkeley,CA 94720,1993. [1] S. Abramsky, S. J. Gay andR. Nagarajan. "Interaction Cate gories and the Foundations of Typed Concurrent Program [17] L. CardelH and P. Wegner, "On Understanding Types, Data ming." In: Deductive Program Design: Proceedings of the Absttaction, and Polymorphism," ACM Computing Surveys, 1994 Marktoberdotf Summer School (M. Broy, ed.). NATO Vol. 17, No. 4, pp. 471-522,1985. ASI Series F, Springer-Verlag, 1995. [18] N.Carriero and D.Gelemter, "Linda in Context," Comm. of [2] N. Abu-Ghazaleh,P.Alexander, D. Dieckman,R. Murali,and theACM, vol. 32, no.4, pp.444-458, April 1989. J. Penix, "Orbit— A Framework for High Assurance System [19] P. Caspi, D. Pilaud, N. Halbwachs, and J. A. Plaice, "LUS Design and Analysis." University of Cincinnati, TR 211/01/ TRE: A Declarative Language for Programming Synchro 98/ECECS, 1998. nous Systems," Conference Recordof the 14th AnnualACM [3] G. A. Agha, "Concurrent Object-Oriented Programming," Symp. on Principles of Programming Languages, Munich, Communications oftheACM, 33(9),pp. 125-141,1990. Germany,January, 1987. [4] G. A. Agha, Actors: A Model of Concurrent Computation in [20] J. DavisII, M. Goel, C. Hylands, B. Kienhuis, E. A. Lee,J. DistributedSystems, MITPress,Cambridge, MA, 1986. Liu, X. Liu, L. Muliadi, S. Neuendorffer, J. Reekie, N. Smyth, J. Tsay and Y. Xiong, "Overview of the Ptolemy [5] G. A. Agha, "Abstracting Interaction Patterns; A Program Project," ERL Technical Report UCB/ERL No. M99/37, ming Paradigm for Open Distributed Systems," in Formal Dept. EECS, University of California, Berkeley, CA 94720, Methods for Open Object-based Distributed Systems, IFIP July 1999. Transactions, E. Najm and J.-B. Stefani, Eds., Chapman & Hall, 1997. [21] E.Dijkstra, "Cooperating Sequential Processes", inProgram ming Languages,E F. Genuys,editor. Academic Press, New [6] S. Ahuja,N. Carreirb,andD. Gelemter,"Lindaand Friends," York, 1968. Computer, Vol. 19,No.8, Aug. 1986, pp.26-34. [22] B. P. Douglass, Real-Time UML, Addison Wesley, 1998 [7] P. Alexander, "Multi-Facetted Design: The Key to Systems Engineering," inProceedings ofForumonDesign Languages [23] S. A. Edwards, "The Specification and Execution of Hetero (FDLr98), September, 1998. geneous Synchronous Reactive Systems," Ph.D. thesis. Uni versity of California, Berkeley,May 1997.Availableas UCB/ [8] R. Allenand D. Garlan, "Formalizing Architectural Connec ERLM97/31. tion," in Proc. of the 16thInternational Conference on Soft (http://ptolemy.eecs.berkeley.edu/papers/97/sedwardsThesis/) ware Engineering (ICSE 94), May 1994, pp. 71-80, TF.F.F. [24] H.-E. Eriksson andM.Penker, UML Toolkit, Wiley, 1998. Computer Society Press. [9] R. Ben-Natan, CORBA: A Guide to Common Object Request [25] C. J. Fidge, "Logical Time in Distributed Systems," Com Broker Architecture, McGraw-Hill, Inc., ISBN 0-07-005427- puter, Vol. 24, No. 8, pp. 28-33, Aug. 1991. 4,1995. [26] E. Gamma, R. Helm, R. Johnson, and J. Vlissides, Design Patterns: Elements of Reusable Object-Oriented Software, Addison Wesley, 1994.

14 [27] A. Geist, A. Beguelin,J. Dongarra, W. Jiang, R. Manchek, [42] R. Jagannathan, "Parallel Execution of GLU Programs,"pre and V. Sunderam, PVM: Parallel Virtual Machine—A Users' sented at 2nd International Workshop on Dataflow Comput Guide and Tutorialfor Networked Parallel Computing, MIT ing, Hamilton Island, Queensland, Australia, May 1992. Press, 1994. [43] R. E. Johnson, "Frameworks = (Components + Patterns)," [28] A. J. C. van Gemund, "Performance Prediction of Parallel Communications of the ACM, Vol. 40, No. 10, pp. 39-42, Processing Systems: The PAMELA Methodology," Proc. 7th October 1997. InL Conf. on Supercomputing, pages 418-327, Tokyo, July [44] M. Jourdan, F. Lagnier, F. Maraninchi, and P. Raymond, "A 1993. Multiparadigm Language for Reactive Systems," in Proc. of [29] A. Girault, B. Lee, and E. A. Lee, "Hierarchical Finite State the 1994 Int. Conf. on Computer Languages, Toulouse, Machineswith MultipleConcurrency Models," IEEE Trans France, May 1994. actions On Computer-aidedDesign Of Integrated Circuits [45] G. Kahn, "The Semantics of a Simple Language for Parallel And Systems, Vol. 18, No. 6, June 1999. Programming," Proc. of the IFIP Congress 74, North-Holland [30] Goossens, G., Lanneer, D., Pauwels, M., Depuydt, F., Publishing Co., 1974. Schoofs, K. Kifli, A., Comeio, M., Petroni, P., Catthoor, F., [46] D. J. Kaplan,et al., "ProcessingGraph Method Specification and de Man, H., "Integration of medium-throughput signal Version 1.0," Unpublished Memorandum, TTie Naval processing algorithms on flexible instniction-set architec Research Laboratory,WashingtonD.C., December 11,1987. tures," Journal ofVLSI Signal Processing, Jan. 1995, vol. 9, No. 1-2, p. 49-65. [47] R. M. Karp, R. E. Miller, "Properties of a Model for Parallel Computadons: Determinacy, Terminadon, Queueing," SIAM [31] M. J. Gordon,R. Milner,L. Morris,M. Neweyand C. P.Wad- Journal, Vol. 14, pp. 1390-1411, November, 1966. sworth, "A Metalanguage for Interactive Proof in LCF," ConfRecord of the 5th ArmualACM Symp. on Principles of [48] M. H. Klein, T. Ralya, B. Pollak, R. Obenza, and M. G. Har Programming Languages, ACM, pp. 119-130,1978. bour, A Practitioner's Handbook for Real-Time Analysis: [32] N. Halbwachs, Synchronous Programming of Reactive Sys Guide to Rate Monotoruc Analysis for Real-Time Systems, KluwerAcademic Publishers, Norwell, Massachusetts, 1993. tems, Kluwer Academic Publishers, Dordrecht, 1993. [49] R. Laddaga, "Acdve Software," posidon paper for the St. [33] N. Halbwachs, P. Caspi, P. Raymond, D. Pilaud, "The Syn Thomas Workshop on Software Behavior Description, chronous Data Flow Progranuning Language LUSTRE," December, 1998. Proc. of the IEEE, Vol.79, No. 9,1991, pp. 1305-1319. [50] L. Lamport, "Time, Clocks, and the Ordering of Events in a [34] D. Hare], "Statecharts: A Visual Formalism forComplex Sys Distributed System," Communications ofthe ACM, Vol. 21, tems," Sci. Comput. Program., vol 8, pp. 231-274,1987. No. 7, July, 1978. [35] D. Harel, H. Lachover, A. Naamad, A. Pnueli, M. Politi, R. [51] P. Lapsley, J. Bier, A. Shoham, and E. A. Lee, DSP Processor Sherman, A. Shtull-Trauiing, M. Trakhtenbrot, "STATEM- Fundamentals — Architectures and Features, IEEE Press, ATE: A WorkingEnvironment for the Development of Com New York, 1997. plex Reactive Systems," IEEE Trans, on Software Engineering, Vol.16, No. 4, April 1990. [52] R. Lauwereins, P. Wauters, M. Ad6, J. A. Peperstraete, "Geo metric Parallelism and Cyclo-Stadc Dataflow in GRAPE-ll", [36] D. Harel and A. Pnueli, "On the Development of Reactive Proc. 5th Int. Workshopon RapidSystem Prototyping, Greno Systems," in Logicand Models for Verification and Specifi ble, France, June, 1994. cation ofConcurrent Systems, Springer Verlag,1985. [53] D. Lea, Concurrent Programming in JavaTM: Design Princi [37] R. Harper and P. Lee, "Advanced Languages for Systems ples and Patterns, Addison-Wesley, Reading MA, 1997. Software:The Fox Projectin 1994,"TechnicalReport,CMU- CS-FOX-94-01,Camegie-Mellon University,1994. [54] E. A. Lee and D. G. Messerschmitt, "Synchronous Data Flow," Proceedings ofthe IEEE, September, 1987. [38] S. Hayashi, "Singleton, Union, and Intersection IVpes for Program Extraction," in A. R. Meyer (ed.), Proc. of the Int. [55] E. A. Lee and D. G. Messerschmitt, "Stadc Scheduling of Conf. on TheoreticalAspectsof ComputerScience, pp. 701- Synchronous Data Flow Programs for Digital Signal Process 730,1991. ing," IEEE Trans, on Computers, January, 1987. [39] T. A. Henzinger, "The theoiy of hybrid automata," in Pro [56] E. A. Lee and D. G. Messerschmitt, Digital Communication, ceedings of the IIth Annual Symposium on Logic in Com Second Edidon, Kluwer Academic Press, Norwood, Mass, puter Science, IEEE ComputerSocietyPress, 1996,pp. 278- 1994. 292, invited tutorial. [57] E. A. Lee and T. M. Parks, "Dataflow Process Networks,", [40] C. A. R. Hoare, "Communicating Sequential Processes," Proceedings of the IEEE, vol. 83, no. 5, pp. 773-801, May, Communicationsof the ACM,Vol.21, No. 8, August 1978. 1995. [41] P. Hudak,"Conception, Evolution, and Application of Func [58] E. A. Lee and A. Sangiovanni-Vincentelli,"A Framework for tional Programming Languages," ACM Computing Surveys, Comparing Models of Computadon," IEEE Transaction on Vol. 21, No. 3, September 1989. CAD, December 1998. [59] S. Liao, S. Tjiang, R. Gupta, "An efficient implementadonof reacdvity for modeling hardware in the Scenic design envi-

15 ronmenC Proc. ofthe Design Automation Conference (DAC [77] M. Schlett, 'Trends in Embedded-Microprocessor Design," 97), Anaheim, CA, 1997. Computer, vol.31, No. 8, pp.44-49,August1998. [60] C. Liu andJ. Layland, "Scheduling Algorithms for Multipro [78] D. Scott,"Outlineof a mathematical theory of computation", gramming in a Hard-Real-Time Environment," JACM, vol. Proc. of the 4th armual Princeton conf. on Information sci 20, pp. 46-61, Januaiy 1973. ences and systems, 1970,169-176. [61] J. M. Lucassen and D. K.Gifford, "Polymorphic Effect Sys [79] D. C. Schmidt,D. L. Levine,and S. Mungee, "The Designof tems," in Proc. 15-thACMSymp. on Principles of Program theTAOReal-UmeObjectRequestBroker," ComputerCom ming Languages, pp. 47-57,1988. munications, Elsivier Science, Volume21, No 4, April, 1998. [62] D. C. Luckham and J. Vera, "An Event-Based Architecture [80] W. T. Trotter, Combinatorics and Partially Ordered Sets, DefinitionLanguage," IEEE Transactionson SoftwareEngi Johns Hopkins UniversityPress, Baltimore,Maryland, 1992. neering, 21(9), pp. 717-734, September, 1995. [81] J. D. Ullman, Elements of MLProgramming, Prentice-Hall, [63] N. A. Lynch, Distributed Algorithms, Moigan Kaufmann 1994. Publishers, Inc., San Francisco, California, 1996. [82] A. J. C. van Gemund, "Performance Prediction of Parallel [64] Z. MannaandA. Pnueli,TheTemporal LogicofReactive and Processing Systems: The PAMELA Methodology," Proc. 7th ConcurrentSystems, Springer-Verlag, 1991. Int. Conf. on Supercomputing, pages 418-327, Tokyo, July [65] F. Maraninchi, "The Argos Language: Graphical Representa 1993. tion of Automata and Description of Reactive Systems," in [83] M. von der Beeck, "A Comparison of Statecharts Variants," Proc. IEEE Workshop on Visual Languages, Kobe, Japan, in Proc. of Formal Techniques in Real Time arul Fault Toler OcL 1991. ant Systems, LNCS 863,pp. 128-148, Sprinter-Verlag, Berlin, [66] P. Martin-Lof, "Constructive Mathematics and Computer 1994. Programming," in Logic, Methodology, arul Philosophy of [84] T. von Eicken, D. E. Culler, and S. C. Goldstein, and K. E. Science VI, pp. 153-175, North-Holland, 1980. Schauser, "Active messages: a mechanism for integrated [67] F. Mattem, "Virtual Hme and Global States of Distributed communications and computation," Proc. of the 19th Int. Systems," in Parallel and Distributed Algorithms, M. Cos- Symp. on Computer Architecture, GoldCoast,Australia, May nard and P. Quinton, eds., North-Holland, Amsterdam, 1989, 1992, also available as technical report TR UCB/CSD 92/ pp. 215-226. 675, CS Division, University of California, Berkeley, CA 94720. [68] R. Milner, A Theory of Type Polymorphism in Programming, Journal of Computer and SystemSciences 17, pp. 384-375, [85] J. Waldo, "Jini™ Architecture Overview," Sun Microsys 1978. tems, http://www.sun.com/products/jini, 1998. [69] G. Necula, "Proof-Carrying Code," in Conf. Record of the [86] A. Wikstrom, Standard ML, Prentice-Hall, Englewood Cliffs, 24thAnnualACMSymp. on PrinciplesofProgramming Lan NJ, 1988. guages, pp. 106-119, ACM Press, 1997. [87] H. Xi and F. Pfenning, "Eliminating Array Bound Checking [70] J. K. Ousteihout, "Scripting: Higher Level Programming for Through Dependent Types," In Proceedings of ACM SIG- the 21 Century," IEEE Computer, March 1998. PLAN Conference on Programming Language Design and Implementation (PLDI 98), pp. 249-257, Montreal, June [71] T. M. Parks,BoundedScheduling of ProcessNetworks, Tech 1998. nical Report UCB/ERL-95-105. PhD Dissertation. EECS Department, University of California. Berkeley, CA 94720, December 1995. [72] J. Peterson and K. Hammond (eds), Haskell 1.3: A Non-strict, Purely Functional Language, Yale University Research Report YALEU / DCS IRR-1106, May 1996. [73] V.R. Pratt, "Modeling Concurrency with Partial Orders," Int. Journal, of Parallel Programming, vol. 15, no. 1, pp. 33-71, Feb. 1986. [74] G. M. Reed and A. W. Roscoe, "A Timed Model for Commu nicating Sequential Processes," Theoretical Computer Sci ence, 58(1/3): 249-261, June 1988. [75] J. Rehof and T. Mogensen, "Tractable Constraints in Finite Semilattices," ThirdInternational StaticArmlysis Symposium, pp. 285-301,Volume 1145of LectureNotes in ComputerSci ence, Springer, Sept., 1996. [76] W. Reisig, Petri Nets: An Introduction, Springer-Verlag, 1985.

16