Reo2PVS: Formal Specification and Verification of Component Connectors

M. Saqib Nawaz and Meng Sun
LMAM & Department of Informatics, School of Mathematical Sciences, Peking University, Beijing, China
{msaqibnawaz, summ}@pku.edu.cn

Abstract—Compositional coordination models such as Reo provide powerful support for the development of large-scale distributed systems by allowing construction of complex connectors that coordinate behavior among different components. The reliability of such distributed systems highly depends on the correctness of connectors. In this paper, we use the proof assistant PVS for formal modeling, analysis and verification of component connectors. We first present the modeling of primitive channels and the composition operators that are used to combine channels for building complex connectors. Furthermore, we show how to model and analyze connector’s behavior in PVS and prove some interesting connector properties. The model reflects the original topological structure of connectors simply and clearly. With the provided approach, different kinds of connector properties can be naturally formalized and proved in PVS.

Index Terms—Reo, Connector, PVS, UTP, Design

I. INTRODUCTION

Nowadays, most modern software systems are distributed over large networks of computing devices. However, software components that comprise the whole system usually do not fit together exactly and leave significant interfacing gaps among them. Such gaps are generally filled with additional “glue code”. Compositional coordination languages offer such a glue code among components and facilitate the mutual interactions between components in a distributed environment. Reo [2] and Linda [11] are two popular examples of such compositional coordination languages, which have played an important role in the success of component-based systems in the past decades.

Reo is a channel-based exogenous coordination language where complex component connectors are orchestrated from channels via certain composition operators. Exogenous coordination [1] means coordination from outside, where the primitives that support the coordination of an entity with others reside outside of that entity. Connectors in Reo provide the protocols that control and organize the communication, synchronization and cooperation among the components that they interconnect. Despite its simplicity, Reo has been used successfully in various application domains, such as service-oriented computing [10], [21], [22], business processes [25] or biological systems [8].

The reliability of component-based systems highly depend on the correctness of connectors. Formal analysis and verification of connectors is gaining more interest in recent years with the evolution of software systems and advancements in Cloud and Grid computing technologies. Furthermore, the increasing growth in size and complexity of computing infrastructure has made the modeling and verification of connector properties a more difficult and challenging task. From the modeling and analysis context, the formal semantics for Reo allows us to specify and analyze the behavior of connectors precisely.

In literature, different formal semantics have been proposed for Reo [13], such as the co-algebraic semantics in terms of relations on infinite timed data streams [3], operational semantics using constraint automata [6], the coloring semantics by coloring a connector with possible data flows [9] in order to resolve synchronization and exclusion constraints, and the UTP (Unified Theories of Programming) semantics [20], [23].

In the past decade, a lot of work has been done towards formal verification and analysis of Reo connectors. A symbolic model checker “Vereofy” has been developed in [5] to check the CTL-like properties of systems with exogenous coordination. Another approach is to take advantage of existing verification tools by translating Reo model to other formal models such as Alloy [14], mCRL2 [15], etc. Since infinite behavior is usually taken into consideration for connectors, the modeling and analysis of connectors are expected to be achieved efficiently in theorem provers. In [16], a method for formal modeling and verification of Reo connectors in Coq is provided. Reo connectors were represented in a constructive way and verification was based on the simulation of the behavior and output of Reo connectors. A different modeling and analysis framework in Coq was proposed in [24], which adopted the UTP design model for Reo connectors developed in [20], [23], i.e., a pair of predicates \( P \sqsupseteq Q \) where the predicate \( P \) specifies what the designer can rely on when the communicating operation is initiated by input to the connector, and \( Q \) is the condition on output that must be true when the communicating operation terminates. Work done in [24] was extended in [12] to cover the modeling and verification of timed channels and connectors in Coq.

In this paper, the aim is to provide an approach for formal modeling and reasoning about Reo connectors constructed from primitive (both untimed and timed) channels under the UTP semantic framework using the proof assistant PVS [17]. We first provide the modeling for a family of primitive channels and compositional operators in PVS. Then we show how to model and reason about more complex connectors. The basic idea is to model the observable behavior of a connector as a relation on the timed data sequences being observed.
at its input and output nodes. In PVS, this is achieved by representing a connector as a logical predicate that describes the relation among the timed data sequences on its input and output nodes. The model makes it possible to prove complex and generic connectors’ properties easily in PVS. The PVS dump file for this work can be found at [19].

The rest of this paper is organized as follows: Reo and PVS are briefly introduced in Section II. PVS specifications for basic definitions being used in the modeling of primitive channels are presented in Section III. In Section IV, formal modeling of primitive channels is described, followed by the modeling of compositional operators. Section V shows how to verify and reason about connector properties in PVS by several examples. Finally, Section VI concludes the paper.

II. PRELIMINARIES

In this section, a brief introduction to the coordination language Reo and the PVS system is provided.

A. Reo

Reo is a channel-based exogenous coordination language where complex connectors are compositionally constructed out of simpler ones. Further details on Reo can be found in [2], [6]. Connectors provide the protocol to control and organize the communication, synchronization and cooperation among different components. The simplest connectors are channels with well-defined behavior. Each Reo channel has two channel ends, which can be of type source or sink. A source channel end accepts data into the channel and a sink channel end dispenses data out of the channel. Few primitive channel types in Reo are shown in Figure 1.

![Some primitive channels in Reo](image)

A synchronous (Sync) channel has one source and one sink end. I/O operations can succeed only if the writing operation at source end is synchronized with the read operation at its sink end. A lossy synchronous (LossySync) channel is a variant of synchronous channel that accepts all data through its source end. The written data is lost immediately if no corresponding read operation is available at its sink end. A FIFO channel is an asynchronous channel with one buffer cell, one source end and one sink end. The channel accepts a data item whenever the buffer is empty. The data item is kept in the buffer and dispensed to the sink end later in the FIFO order. A synchronous drain (SyncDrain) channel has two source ends and no sink end, which means that no data can be obtained from such channels. The write operation on both source ends should happen simultaneously and the data items written to this channel are irrelevant. A t-timer channel accepts any data item at its source end and produces a timeout signal on its sink end after a delay of t time units.

Complex connectors are constructed by composition of different channels with join and hiding operations. The result can be represented visually as a graph where a node represents a set of channel ends that are combined together through the join operation, while the edges in the graph represent the channels between the corresponding nodes. Nodes are categorized into source, sink or mixed nodes, depending on whether the node contains only source channel ends, sink channel ends, or both. Source nodes are analogous to input ports, sink nodes to output ports and mixed nodes are internal details of a connector that are hidden. The internal topology of any connector can be hidden from outside by applying the hiding operation. The behavior of a connector can be captured by the data-flow on its source and sink nodes. The hidden nodes can not be accessed or observed from outside.

B. PVS

PVS (Prototype Verification System) offers a formal specification language and a mechanical theorem prov- environment. The PVS system consists of a specification language, a parser, a type-checker, a prover, specification libraries, and various browsing tools. Specification language of PVS is built on a higher order logic and type system of PVS supports predicate sub-typing and other type dependencies. The type system of PVS is not algorithmically decidable and theorem proving may be required to establish the type-consistency of a PVS specification. Theorems that need to be proved are called type-correctness conditions (TCC’s). Here, we give a simple example for factorial function that is defined recursively in PVS.

```plaintext
factorial(n:nat): RECURSIVE posnat = IF n = 0 THEN 1 ELSE factorial(n-1)*n ENDIF

the: THEOREM FORALL(k:nat): factorial(k) >= k
```

In PVS, recursive definitions are treated as constant declarations and it must be total, so that the function is defined for every value of its domain. In order to ensure this, recursive functions must be specified with a measure (n in the factorial function). Theorem the in this example shows that factorial of a number should be greater than or equal to that number. PVS offers inference rules, proof commands and decision procedures that can be used to prove theorems. PVS prover is based on sequent calculus where each proof goal is a sequent consisting of a sequence of formulas called antecedents and a sequence of formulas called consequents. The intuitive interpretation of a sequent is that the conjunction of the antecedents implies the disjunction of the consequents. During proof construction, PVS builds a graphical proof tree in which remaining proof obligations are at the leaves of tree. If a proof gets stuck, then this tree helps to see where the proof goes wrong. Further details on PVS can be found in [18].

III. BASIC DEFINITIONS IN PVS

The behavior of a connector can be formalized by means of data-flows on its sink and source nodes which are essentially infinite sequences. In PVS, record structure is used to represent timed data (TD) sequences on the sink and source nodes,
where *time* is defined as *positive real numbers* \( \mathbb{R}^+ \) and *data* is defined as a *positive* type. The advantage of using the record structure for representing a TD sequence is that it offers names for both time and data of the sequence, which makes the specification more convenient and understandable.

**Time:** Type = posreal  
**Data:** TYPE+  
**TD:** TYPE = [ # T: sequence[Time],  
D: sequence[Data] # ]  
Input, Output: VAR TD

A TD is a record structure type that has two components: *T* and *D*. The *D* component is a sequence of *data items*. The *T* component is a sequence of *time points* being used to represent the *time* when the data items in the *D* component being observed. *Input* and *Output* are declared as variables of type TD. The following predicates are used for primitive channels specification later:

\[
\begin{align*}
Teq(\text{Input}, \text{Output}) & : bool = T(\text{Input}) = T(\text{Output}) \\
Tle(\text{Input}, \text{Output}) & : bool = T(\text{Input}) < T(\text{Output}) \\
Tgt(\text{Input}, \text{Output}) & : bool = T(\text{Input}) > T(\text{Output}) \\
Deq(\text{Input}, \text{Output}) & : bool = D(\text{Input}) = D(\text{Output})
\end{align*}
\]

Teq takes two TD sequences and returns *true* if the time of two sequences are exactly equal to each other. Tle represents that time of the first sequence is strictly less than the second sequence and Tgt means that the time of the first sequence is strictly greater than the second sequence. Deq shows the equality of data: data sequence at *Input* is equal to data sequence at *Output*. Teq, Tle and Tgt only checks the time component of the record structure, whereas, Deq checks the data field. Since the type of component *T* in TD is defined as *sequence[Time]*, we have to define the operators "<" and "\( \sim \)" for sequences of times. A strict order (that is both transitive and irreflexive) is assumed for "<" and "\( \sim \)".

\[
\begin{align*}
<: (\text{strict_order?}[\text{sequence[Time]}]) & \\
>: (\text{strict_order?}[\text{sequence[Time]}]) & = \text{LAMBDA} (s1, s2: \text{sequence[Time]}): s2 < s1
\end{align*}
\]

Defining "<,\( \sim \)" for sequence of time generated two TCC’s. Proof steps for these two TCC’s can be found at [19].

For timed channels, three new predicate formulas are introduced, which are similar as the previous definitions for primitive untimed channels with one of the time sequences is added by a *t* time delay. An extra *t* is appended to the names of these new predicates to distinguish them from the ones for untimed channels. Definitions *Teq, Tle* and *Tgt* can also be specified with the terms used in the *Teqt, Tltt* and *Tgtn*.

\[
\begin{align*}
\text{Tgt}(T1,T2)(t: \text{Time}): bool = \text{FORALL} (n:nat): \\
\text{FrS(str_nth(n,T1))} + t = \text{FrS(str_nth(n,T2))} \\
\text{Tltt}(T1,T2)(t: \text{Time}): bool = \text{FORALL} (n:nat): \\
\text{FrS(str_nth(n,T1))} + t < \text{FrS(str_nth(n,T2))} \\
\text{Tgtn}(T1,T2)(t: \text{Time}): bool = \text{FORALL} (n:nat): \\
\text{FrS(str_nth(n,T1))} + t > \text{FrS(str_nth(n,T2))}
\end{align*}
\]

IV. Reo Channels and Operators

The modeling of primitive untimed / timed channels and operators for connectors composition is presented in this section. These channels and operators are used later in the modeling and analysis of complex connectors.

**A. Primitive Channels**

For the Sync channel, the time and data of a sequence that flows into the channel are exactly the same as those of the sequence flowing out. The channel is modeled as follows in PVS:

\[
\begin{align*}
\text{Sync}(\text{Input}, \text{Output}) & : bool = \text{Teq(\text{Input}, \text{Output})} \ & \text{Deq(\text{Input}, \text{Output})}
\end{align*}
\]

The SyncDrain channel has two source ends and no sink end. It works as a synchronous channel that allows pairs of write operations pending on its two ends to succeed simultaneously. In this channel, all written data items are consumed and lost. Thus, this channel is used just for synchronizing two TD sequences being observed on its two ends. This channel is specified in PVS as follows:

\[
\begin{align*}
\text{SyncD}(\text{Input1}, \text{Input2}) & = \text{Teq(\text{Input1}, \text{Input2})}
\end{align*}
\]

A LossySync channel is analogous to the Sync channel, except that the write operation on the source end always succeeds immediately. If a corresponding read operation is already pending on the sink end, then the written data item is transferred to the sink end and both operations succeed. Otherwise, only the write operation on the source end succeeds and the data item is lost. LossySnc channel is defined inductively as follows:

\[
\begin{align*}
\text{Lossysync}(\text{Input}, \text{Output}) (n:nat): \text{INDUCTIVE} \ & \text{bool} \\
& \text{=} (\text{nth(\text{Output},n)} = \text{nth(\text{Input},n)} \\
& \ & \ \text{OR Lossysync(\text{next(\text{Input})},\text{next(\text{Output})})}(n) \\
& \ & \ \text{OR Lossysync(\text{\text{next(\text{Input})},\text{\text{Output})}})(n))
\end{align*}
\]

Another important channel in Reo is the asynchronous one with buffering capacity 1, known as FIFO channel \( \langle \mathbb{C} \rangle \). The time when a FIFO channel takes a data item at its source end is earlier than the time when the data item is delivered at its sink end. Furthermore, the time of the next data item that flows in at the source end should be later than the time when the data in the buffer is delivered at the sink end. The buffer is empty if no data item is in the buffer, and it contains a data element *d* after *d* is written through the source end and before *d* is taken out through the sink end.

\[
\begin{align*}
\text{Fifo1}(\text{Input}, \text{Output}) : bool = \text{Tle(\text{Input}, \text{Output})} & \ & \text{Deq(\text{Input}, \text{Output})}
\end{align*}
\]

A FIFOc channel is a variant of FIFO where the buffer already contains a data element "e". The communication can only be initiated when *e* is taken out through the sink end. So the data sequence that flows out of the channel always get an extra element *e* settled at the beginning of the sequence.

*In PVS, inductive definitions are similar to recursive definitions, in that both involve induction and must satisfy additional constraints to guarantee that they are total.*
Moreover, the time of the sequence that flows into the channel should be earlier than time of the tail of the sequence that flows out. As the buffer contains \( e \), new data can be written into the channel only after the element \( e \) has been taken. Therefore, time of the sequence that flows out is earlier than time of the sequence that flows in.

\[
\text{Fifole}(\text{Input},\text{Output})(e:\text{Data})(n:\text{nat}): \text{bool} = \\
\text{Tgc}(\text{Input},\text{Output}) \& \text{Tle}(\text{Input},\text{next}(\text{Output})) \& \\
\& e?(\text{nth}(\text{Output},n))(e) \& \\
\text{Deq}(\text{Input},\text{next}(\text{Output})))
\]

The \textit{t-timer channel} accepts input data through its source end and returns a \textit{timeout} signal on its sink end exactly after a duration of \( t \) time units. It is specified in PVS as follows:

\[
\text{Timert}(\text{Input},\text{Output})(t:\text{Time})(d:\text{Data}): \text{bool} = \\
\text{FORALL}(n:\text{nat}): \text{FrS}(\text{str}_n(n,\text{Input})) + t < \\
\text{FrS}(\text{str}_n(n,\text{next}(\text{Input}))) \\
\& \text{Teq}(\text{Input},\text{Output})(t) \\
\& \text{SrF}(\text{str}_n(n,\text{Output})) = \text{timeout}(d)
\]

The definitions of more channels can be found at [19]. Defining primitive channels by intersection and disjunction of predicates in PVS makes the modeling of channels more concise, easy to understand as each predicate describes a simple order relation (requirement) on time or data. Furthermore, we can easily split the predicates for proofs of different properties which can make the reasoning and proving process simpler.

\textbf{B. Operators Modeling in PVS}

Three main composition operators (shown in Figure 2) are used in Reo for connector construction, which are (i) flow-through, (ii) replicate and (iii) merge.

\[
\text{Figure 2. Operators for channel composition}
\]

The \textit{flow-through} operator simply allows data items to pass the mixed node. It can be achieved explicitly without specifying it in PVS. This is explained with the simple example in Figure 3, which represents a flow-through operator at node \( B \). Such a flow-through operator at node \( B \) can be implicitly implemented by just writing the connector as \("Sync(A,B) \land FIFO1(B,C)\".

\[
\text{Figure 3. A connector composed of a Sync and a FIFO1 channel}
\]

The \textit{replicate} operator puts the source ends of different channels together into one source node. Write operation on this node succeeds only if all the channels are capable of consuming a copy of the written data. Similar to the flow-through operator, it can be implicitly represented by the structure of connectors. For example, If we put one \( Sync(A,B) \) channel and one \( FIFO1(C,D) \) channel together, we can simply write \( Sync(A,B) \land FIFO1(A,D) \) in PVS instead of defining a recursive or inductive function, and the replicate operator is achieved directly by renaming \( C \) with \( A \) for the \( FIFO1 \) channel. The use of conjunction and node renaming for flow-through and replicate operator allows us to define connectors directly in lemmas and theorems.

The modeling of \textit{merge} operator is a bit more complicated. When the merge operator acts on two channels, it leads to a choice of taking the data item from one of them. The merge operator is defined inductively as the intersection of two predicates.

\[
\text{Merge}(s1,s2,s3)(n:\text{nat}): \text{INDUCTIVE bool} = \\
\{( \text{NOT } (\text{FrS}(\text{nth}(s1,n)))) \land (\text{FrS}(\text{nth}(s2,n))))) \\
\land (\text{FrS}(\text{nth}(s1,n)) < (\text{FrS}(\text{nth}(s2,n)))) \\
\land \text{Merge}(\text{next}(s1), s2, \text{next}(s3))(n)) \\
\land (\text{FrS}(\text{nth}(s1,n)) > (\text{FrS}(\text{nth}(s2,n)))) \\
\land \text{Merge}(s1, \text{next}(s2), \text{next}(s3))(n))
\]

\textbf{V. REASONING ABOUT CONNECTORS}

In this section, we investigate and prove some interesting properties for connectors in PVS.

\textbf{Example 1.} We first consider the connector shown in Figure 3. Let \( a, b, c \) denote the time sequences when the corresponding data sequence flows through nodes \( A, B \) and \( C \). According to the semantics of \( Sync \) and \( FIFO1 \) channels, we know that \( a = b < c \). Let \( \alpha, \beta \) represent the data sequence being observed at the source node \( A \) and the sink node \( C \) respectively, we have \( \alpha = \beta \). In PVS, these results are proved with the following theorem.

\textbf{Theorem 1.} \( Sync(A,B) \land FIFO1(B,C) \Rightarrow Tle(A,C) \land Teq(A,B) \land Deq(A,C) \)

\textbf{Proof.} When the PVS proof checker is run on this theorem, it gives the following sequent (proof goal) which consists of no antecedent and one consequent formula:

\[
\{-------
\{1\} \text{FORALL } (A,B,C:\text{TD}): \\
\quad \text{Sync}(A,B) \land \text{Fifol}(B,C) \Rightarrow Tle(A,C) \\
\quad \& \text{Teq}(A,B) \& \text{Deq}(A,C)
\}
\]

The \textit{skolem} command is used first that creates a fresh free \textit{skolem} variable for the universal quantifier (\( \forall \)) in consequence. Then the \textit{flatten} command is used to simplify the proof goal by removing \( \Rightarrow \) from consequent. This changes the formula to:

\[
\{1\} \text{Sync}(A!1, B!1) \\
\{-2\} \text{Fifol}(B!1, C!1)
\{-------
\{-1\} \text{Tle}(A!1,C!1) \& \text{Teq}(A!1,B!1) \& \text{Deq}((A!1,C!1))
\]

It now consists of two antecedent formulas and one consequent formula. In next steps, the definitions of \( Sync \) and \( FIFO1 \) channels, as well as predicates \( Tle, Teq, Deq \) and
next are expanded with the command (expand “id”). Conjunction (&) in the antecedents are removed with the command “flatten”. The formula now simplifies to:

\[
\begin{align*}
(-1) & \quad T(A!1) = T(B!1) \\
(-2) & \quad D(A!1) = D(B!1) \\
(-3) & \quad T(B!1) < T(C!1) \\
(-4) & \quad T(C!1) < (suffix(B!1, T, 1)) \\
(-5) & \quad D(B!1) = D(C!1)
\end{align*}
\]

The sequent is then divided (with “splits”) into three sub-sequents (sub-goals), which are all proved with decision procedure command “assert”. \[\text{†}\]

**Example 2.** We now consider the Lower Bounded FIFO1 connector as given in Figure 4. This connector has one source node A and one sink node B. It ensures the lower bound “\(\geq t\)” for the take operation on node B. Every data item received by this connector needs to stay in its buffer for more than \(t\) time units. Let \(\alpha, \beta\) represent the data sequences being observed at nodes A and B, and \(a, b\) represents the time sequences corresponding to \(\alpha\) and \(\beta\), i.e., \(t\)-th element \(a(i)\) in \(\alpha\) (and \(b(i)\) in \(\beta\)) denotes exactly the time moment of the occurrence of \(\alpha(i)\) (and \(\beta(i)\)). For this connector, it is proved in theorem 2 that \(\alpha = \beta\) and \(a + t < b\).

![Figure 4. Lower Bounded FIFO1 Connector](image)

**Theorem 2.** \(\forall A,B,C,D,E \in TD, t \in Time, d \in Data:

\[
\begin{align*}
& \text{Timert}(A,C)(t)(d) \land \text{Fifo1}(A,D) \land \text{Sync}(D,E) \land \text{Fifo1}(C,E) \land \text{Sync}(D,B) \Rightarrow \text{Deq}(A,B) \land \text{Tlt}(A,B)(t)
\end{align*}
\]

**Proof.** After applying skolemization, expansion and flattening, the main goal is split into two sub-goals. The first sub-goal is for the data dimension, i.e., the data sequence received at \(A\) should be equal to the data sequence being taken at \(B\). The Fifo1(A, D) channel satisfies the predicate Deq(A, D) and the Sync(D, B) channel satisfies Deq(D, B). The conjunction of both predicates results in Deq(A, B). For the time dimension, we have predicates Teqt(A, C, t), Tlt(C, E), Teq(E, D) and Teq(D, B), which can be obtained from the definitions of Timert, Fifo1, SyncD and Sync channels respectively. These four predicates introduce the constraints \(A + t = C, C < E, E = D, D = B\) for time. The combination of these predicates results in Tlmt(A, B, t), such that \(A + t < B\) holds for time.

**Example 3.** Figure 5 shows an expiring FIFO1 connector that can be constructed with a normal FIFO1 channel and a t-timer (and some other channels). In this connector, a data item received through the source node A is dropped from the buffer if it is not taken out through the sink node B within t time units.

**Theorem 3.** \(\forall A,B,C,D,E,F,G,H \in TD, t \in Time, d \in Data, n \in nat:\)

\[
\begin{align*}
& \text{Sync}(A,C) \land \text{Sync}(C,F) \land \text{Fifo1}(C,D) \land \text{Timert}(F,G)(t)(d) \land \text{Lossysync}(G,H)(n) \land \text{SyncD}(D,H) \land \text{Lossysync}(D,E)(n) \land \text{Sync}(E,H) \land \text{Sync}(E,B) \Rightarrow \text{Teqt}(A,B)(t) \land \text{Tgt}(B,A)
\end{align*}
\]

**Proof.** The PVS proof process of this theorem is presented as follows:

1. \(\text{inst} \to \text{cond} \to \beta\) (The proof starts by applying induction on \(n\))
2. Main goal is split into two sub-goals. For the first sub-goal (the base case):
   \(\text{skosimp} \to \text{expand Fifo -3} \to \text{expand Lossysync} \to \text{expand Sync} \to \text{expand Timert} \to \text{expand Teqt} \to \text{expand Tgt} \to \text{assert} \to \text{split}\)
   The first sub-goal is split into two more sub-goals. For the first sub-sub-goal:
   \(\text{skosimp} \to \text{inst} \to \text{grind}\)
   \(\text{This proves the first sub-sub-goal.}\)
   For the second sub-sub-goal:
   \(\text{skosimp} \to \text{inst} \to \text{grind}\)
   \(\text{This proves the second sub-sub-goal and the proof of the first sub-goal is complete.}\)
3. For the second sub-goal:
   \(\text{skosimp} \to \text{inst} \to \text{skosimp} \to \text{assert} \to \text{grind}\)
   \(\text{This proves the second sub-sub-goal and the proof of the first sub-goal is complete.}\)
4. This completes the proof of the theorem. \[\square\]

**Example 4.** A timed connector \(\rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightarrow \rightt...
Such a connector produces a timeout signal after a delay \( t \) for every input it receives. The duration between the arrival time for the \( i \)-th input and that for the \( (i+j)\)-th input for \( j < n \) can be less than \( t \) whereas the duration between the arrival time for the \( i \)-th input and that for the \( (i+n)\)-th input should be at least \( t \). Figure 6 shows the topology structure of \( 2 \times t \).

Let \( a,b \) represent the time sequences corresponding to the data sequences flowing into \( A \) and out of \( B \), respectively. Theorem 4 states the property that \( a + t = b \) for the \( 2 \times t \) timed connector.

**Theorem 4.** \( \forall A,B,C,D,E,F,G,I,C,D1 \in TD, t \in Time, d \in Data, n \in nat: \)

\[
\neg \text{Sync}(A,G) \land \neg \text{Lossysync}(G,E)(n) \land \neg \text{Lossysync}(G,F)(n) \land \neg \text{Sync}(E,I) \land \neg \text{Sync}(F,I) \land \neg \text{Sync}(D,G) \land \neg \text{Merge}(E,F,I)(n) \land \neg \text{Sync}(E,C) \land \neg \text{Sync}(E,D) \land \neg \text{Timert}(C,C1)(t)(d) \land \neg \text{Timert}(D,D1)(t)(d) \land \neg \text{Merge}(C1,D1,B)(n) \Rightarrow \neg \text{Teqt}(A,B)(t)
\]

Since the Lossysync channel and the composition operator \( \text{merge} \) are both defined inductively, this theorem is proved by induction on the parameter \( n \). The main goal is divided into two sub-goals. The first sub-goal is for the base case and the second subgoal is for the inductive step. The details of the proof process is similar to the proofs for previous theorems in this section, and we omit it here due to the length limitation.

**VI. Conclusion**

This paper presents a method for formal modeling of Reo connectors and reasoning about Reo connectors in PVS. The formalization is based on the UTP design semantics for Reo and preserves the original structure and behavior semantics of Reo channels and composition operators, which makes their description in PVS reasonably readable. Connector properties are specified with predicates which offer an appropriate description of the relations between different timed data sequences being observed on the nodes of a connector. The proofs of connector properties are completed with the help of PVS proof commands, inference rules and decision procedures. Generalized property for connectors for arbitrary \( n \), which cannot be verified explicitly with model checkers, can be system proved here as well.

The main problem of this approach is that the analysis and proof process of complex connector properties in PVS always requires heavy interactions between users and the proof assistant, and thus consumes a lot of time. Even for simple properties, the proof process can become hard and requires the users to have good knowledge on PVS to make the proof successfully. In the future, efforts will be made to encapsulate frequently-used proof patterns as PVS strategies in order to make the proof process easier and reduce repetitive work. Machine learning techniques are also expected to provide some help to automate the proof process and reduce the amount of human efforts. On the other hand, extension of the approach to deal with probabilistic [4] or stochastic [7] behavior of connectors is in our plan for future work as well.

**Acknowledgement.** The work was partially supported by the National Natural Science Foundation of China under grant no. 61772038, 61532019, 61202069 and 61272160.

**References**


[16] PVS dump files. Available at: https://github.com/saqibdola/Reo-in-PVS.


