1 Introduction

Over a decade ago, Baier et al. introduced constraint automata for the specification of interaction protocols [6]. Constraint automata feature a powerful composition operator that preserves synchrony: composite constructions not only yield intuitively meaningful asynchronous protocols but also synchronous protocols. Constraint automata have been used as basis for tools, like compilers and model checkers. Jongmans developed Lykos: a compiler that translates constraint automata into reasonably efficient executable Java code [13]. Baier, Blechmann, Klein, and Klüppelholz developed Vereofy, a model checker for constraint automata [4, 19]. Unfortunately, like every automaton model, composition of constraint automata suffers from state space and transition space explosions. These explosions limit the scalability of the tools based on constraint automata.

To improve scalability, Clarke et al. developed a compiler that translates a constraint automaton to a first-order formula [9]. The transitions of the constraint automaton correspond to the solutions of this formula. At run time, a generic constraint solver finds these solutions and simulates the automaton. Since composition and abstraction for constraint automata respectively correspond to conjunction and existential quantification, the first-order specification does not suffer from state space or transition space explosion. However, the approach proposed by Clarke et al. only delays the complexity until run time: calling a generic constraint solver at run time imposes a significant overhead.

Jongmans realized that the overhead of this constraint solver is not always necessary. He developed a commandification algorithm that accepts constraints without disjunctions (i.e., conjunctions of literals) and translates them into a small imperative program [14]. The resulting program is a light-weight, tailor-made constraint solver with minimal run time overhead. Since commandification accepts only constraints without disjunction, Jongmans applied this technique to data constraints on individual transitions in a constraint automaton. Relying on constraint automata, his approach still suffers from scalability issues [17].

We aim to prevent state space and transition space explosions by combining the ideas of Clarke et al. and Jongmans. To this end, we present the language of stream constraints: a generalization of constraint automata based on temporal logic. A stream constraint is an expression that relates streams of observed data at different locations (Sect. 2). We identify a subclass of stream constraints, called regular (stream) constraints, which is closed under composition and abstraction (Sect. 3). Regular constraints can be viewed as a constraint automata, and conjunction of reflexive regular constraints is similar to composition of constraint automata (Sect. 4).

A straightforward application of the commandification algorithm of Jongmans to regular stream constraints entails transforming a stream constraint into disjunctive normal form and applying the algorithm to each clause separately. However, the number of clauses in the disjunctive normal form may grow exponentially in the size of the composition. To prevent such exponential blowups of the size of the formula, we recognize and exploit symmetries in the disjunctive normal form. Each clause in the disjunctive normal form can be constructed from a set of basic stream constraints, which we call rules. This idea allows us to represent a single large constraint as certain combination of a set of smaller constraints, called the rule-based form (Sect. 5). We express the composition of stream constraints in terms of the rule-based normal form (Sect. 6), and show that, for simple sets of rules, the number of rules to describe the composition is only linear in the size of the composition (Sect. 7). The class of stream constraints defined by a simple set of rules contains constraints for which the size of the disjunctive normal form explodes, which shows that our approach improves upon existing approaches by Clarke et al. and Jongmans. We express abstraction on stream constraints in terms of the rule-based normal form and provide a sufficient condition under which the number of rules remains constant (Sect. 8). Finally, we conclude and point out future work (Sect. 10).

Related work. Representation of stream constraints in rule-based form is part of a larger line of research on symbolic approaches, such a symbolic model checking [5, 8, 20] and symbolic execution [10]. These approaches not only use logic (cf., SAT solving techniques [12, 18] for verification), but also other implicit representations, like binary decision diagrams [7] and Petri nets [21]. Petri nets offer a small representation of protocols with an exponentially large state space. While our focus is more on compilation, Petri nets have been studied in the context of verification. As inspiration for future work, it is interesting to study the similarities between Petri nets and stream constraints.

Since regular stream constraints correspond to constraint automata, we can view regular stream constrains as a restricted temporal logic for which distributed synthesis is easy. In general, distributed (finite state) synthesis of protocols is undecidable [22, 23]. Pushing the boundary from regular to a larger class of stream constraints can be useful for more effective synthesis methods.

2 Syntax and Semantics

The semantics of constraint automata is defined as a relation over timed data streams [3], which are pairs, each consisting of a non-decreasing stream of time stamps and a stream of observed (exchanged) data items. The primary significance of time streams is the proper alignment of their respective data streams, by allowing “temporal gaps” during which no data is observed. For convenience, we drop the time stream and model protocols as relations over streams of data, augmented by a special symbol that designates “no-data” item.

We first define the abstract behavior of a protocol C. Fix an infinite set X of variables, and fix a non-empty set of user-data \(Data \supseteq \{0\}\) that contains a datum 0. Consider the data domain \(D = Data \cup \{*\}\) of data stream items, where we use the “no-data” symbol \(*\in D\setminus Data\) to denote the absence of data. We model the a single execution of protocol C as a function

$$\begin{aligned} \theta : X \longrightarrow D^\mathbb {N}\end{aligned}$$
(1)

that maps every variable \(x \in X\) to a function \(\theta (x) : \mathbb {N}\longrightarrow D\) that represents a stream of data at location x. We call \(\theta \) a data stream tuple (over X and D). For all \(n \in \mathbb {N}\) and all \(x \in X\), the value \(\theta (x)(n) \in D\) is the data that we observe at location x and time step n. If \(\theta (x)(n) = *\), we say that no data is observed at x in step n (i.e., we may view \(\theta \) as a partial map \(\mathbb {N}\times X \rightharpoonup Data\)). The behavior of protocol C consists of the set

$$\begin{aligned} \mathcal{L}(C) \ \subseteq \ (D^\mathbb {N})^X \end{aligned}$$
(2)

of all possible executions of C, called the accepted language of C. We can think of accepted language \(\mathcal{L}(C)\) as a relation over data streams. In this paper, we study protocols that are defined as a stream constraint:

Definition 1

(Stream constraints). A stream constraint \(\phi \) is an expression generated by the following grammar

$$\begin{aligned} \phi ~&{:}{:}\!\!= \ \bot \ \mid \ t_0 \doteq t_1 \ \mid \ \phi _0 \wedge \phi _1 \ \mid \ \lnot \phi \ \mid \ \exists x \phi \ \mid \ \square \phi \\ t~&{:}{:}\!\!= \ x \ \mid \ \varvec{d} \ \mid \ t' \end{aligned}$$

where \(x \in X\) is a variable, \(d \in D\) is a datum, and t is a stream term.

We use the following standard syntactic sugar: \(\top = \lnot \bot \), \(\phi _0 \vee \phi _1 = \lnot (\lnot \phi _0 \wedge \lnot \phi _1)\), \(\Diamond \phi = \lnot \square \lnot \phi \), , \((t_1\doteq t_2 \wedge \cdots \wedge t_{n-1}\doteq t_n) = (t_1\doteq \cdots \doteq t_n)\), \(t^{(0)} = t\), and \(t^{(k+1)} = (t^{(k)})'\), for all \(k \ge 0\). Following Rutten [25], we call \(t^{(k)}\), \(k \ge 0\), the k-th derivative of term t.

We interpret a stream constraint as a constraint over streams of data in \(D^\mathbb {N}\). For a datum \(d \in D\), \(\varvec{d}\) is the constant stream defined as \(\varvec{d}(n)=d\), for all \(n \in \mathbb {N}\). The operator \((-)'\), called stream derivative, drops the head of the stream and is defined as \(\sigma '(n) = \sigma (n+1)\), for all \(n \in \mathbb {N}\) and \(\sigma \in D^\mathbb {N}\). Streams can be related by \(\doteq \) that expresses equality of their heads: \(x \doteq y\) iff \(x(0) = y(0)\), for all \(x,y \in D^\mathbb {N}\). The modal operator \(\square \) allows us to express that a stream constraint holds after applying any number of derivatives to all variables. For example, \(\square (x\doteq y)\) iff \(x^{(k)}(0) = y^{(k)}(0)\), for all \(k\in \mathbb {N}\) and \(x,y\in D^\mathbb {N}\). Stream constraints can be composed via conjunction \(\wedge \), or negated via negation \(\lnot \). Streams can be hidden via existential quantification \(\exists \).

Each stream term t evaluates to a data stream in \(D^\mathbb {N}\). Let \(\theta : X \longrightarrow D^\mathbb {N}\) be a data stream tuple. We extend the domain of \(\theta \) from the set of variables X to the set of terms \(T \supseteq X\) as follows: we define \(\theta : T \longrightarrow D^\mathbb {N}\) via \(\theta (\varvec{d}) = \varvec{d}\) and \(\theta (t') = \theta (t)'\), for all \(d\in D\) and terms \(t \in T\).

Next, we interpret a stream constraint \(\phi \) as a relation over streams.

Definition 2

(Semantics). The language \(\mathcal{L}(\phi ) \subseteq (D^\mathbb {N})^X\) of a stream constraint \(\phi \) over variables X and data domain D is defined as

  1. 1.

    \(\mathcal{L}(\bot ) = \emptyset \);

  2. 2.

    \(\mathcal{L}(t_0 \doteq t_1) = \{ \theta : X \longrightarrow D^\mathbb {N}\mid \theta (t_0)(0) = \theta (t_1)(0) \}\);

  3. 3.

    \(\mathcal{L}(\phi _0 \wedge \phi _1) = \mathcal{L}(\phi _0) \cap \mathcal{L}(\phi _1)\);

  4. 4.

    \(\mathcal{L}(\lnot \phi ) = (D^\mathbb {N})^X \setminus \mathcal{L}(\phi )\);

  5. 5.

    \(\mathcal{L}(\exists x \phi ) = \{ \theta : X \longrightarrow D^\mathbb {N}\mid \theta [x \mapsto \sigma ] \in \mathcal{L}(\phi ) \text {, for some } \sigma \in D^\mathbb {N}\}\);

  6. 6.

    \(\mathcal{L}(\square \phi ) = \{ \theta : X \longrightarrow D^\mathbb {N}\mid \theta ^{(k)} \in \mathcal{L}(\phi ) \text {, for all } k \ge 0\}\),

where \(\theta [x \mapsto \sigma ] : X \longrightarrow D^\mathbb {N}\) is defined as \(\theta [x \mapsto \sigma ](x) = \sigma \) and \(\theta [x \mapsto \sigma ](y) = \theta (y)\), for all \(y \in X \setminus \{x\}\); and \(\theta ^{(k)} : X \longrightarrow D^\mathbb {N}\) is defined as \(\theta ^{(k)}(x) = \theta (x^{(k)})\), for all \(x \in X\).

Let \(\phi \) and \(\psi \) be two stream constraints and \(\theta : X \longrightarrow D^\mathbb {N}\) a data stream tuple. We say that \(\theta \) satisfies \(\phi \) (and write \(\theta \models \phi \)), whenever \(\theta \in \mathcal{L}(\phi )\). We say that \(\phi \) implies \(\psi \) (and write \(\phi \models \psi \)), whenever \(\mathcal{L}(\phi ) \subseteq \mathcal{L}(\psi )\). We call \(\phi \) and \(\psi \) equivalent (and write \(\phi \equiv \psi \)), whenever \(\mathcal{L}(\phi ) = \mathcal{L}(\psi )\).

Example 1

One of the simplest stream constraints is \(\mathsf{sync}(a,b)\), which is defined as \(\square (a \doteq b)\). Constraint \(\mathsf{sync}(a,b)\) encodes that the data streams at a and b are equal: \(\theta (a)(k) = \theta (b)(k)\), for all \(k \in \mathbb {N}\) and all \(\theta \in (D^\mathbb {N})^X\). Therefore, \(\mathsf{sync}(a,b)\) synchronizes the data flow observed at ports a and b.

Conjunction \(\wedge \) and existential quantification \(\exists \) provide natural operators for composition and abstraction for stream constraints. For example, the composition \(\mathsf{sync}(a,b) \wedge \mathsf{sync}(b,c)\) synchronizes ports a, b, and c. Hiding port b yields \(\exists b (\mathsf{sync}(a,b)\wedge \mathsf{sync}(b,c))\), which is equivalent to \(\mathsf{sync}(a,c)\).    \(\triangle \)

Example 2

Recall that \(x^{(k)}\), for \(k \ge 0\), is the k-th derivative of x. We can express that a stream x is periodic via the stream constraint \(\square (x^{(k)} \doteq x)\), for some \(k \ge 1\). For \(k = 1\), stream x is constant, like \(\varvec{0}\) and \(\varvec{*}\).     \(\triangle \)

Example 3

The stream constraint \(\mathsf{fifo}(a,b,m)\) defined as \(m \doteq \varvec{*} \wedge \square ((a \doteq m' \doteq \varvec{0} \wedge b \doteq m \doteq \varvec{*}) \vee (a \doteq m' \doteq \varvec{*} \wedge b \doteq m \doteq \varvec{0}) \vee (a \doteq b \doteq \varvec{*} \wedge m' \doteq m))\) models a 1-place buffer with input location a, output location b, and memory location m that can be full (\(m \doteq \varvec{0}\)) or empty (\(m\doteq \varvec{*}\)).     \(\triangle \)

Example 4

Recall that \(*\) models absence of data. Stream constraint expresses that always eventually we observe some datum at a. A constraint of such form can be used to define fairness.     \(\triangle \)

3 Regular Constraints

We identify a subclass of stream constraints that naturally correspond to constraint automata. We first introduce some notation.

To denote that a string s occurs as a substring in a stream constraint \(\phi \) or a stream term t, we write \(s \in \phi \) or \(s \in t\), respectively.

Every stream constraint \(\phi \) admits a set \({\text {free}}(\phi ) \subseteq X\) of free variables, defined inductively via \({\text {free}}(\bot ) = \emptyset \), \({\text {free}}(t_0 \doteq t_1) = \{x \in X \mid x \in t_0 \text { or } x \in t_1\}\), \({\text {free}}(\phi _0 \wedge \phi _1) = {\text {free}}(\phi _0) \cup {\text {free}}(\phi _1)\), \({\text {free}}(\lnot \phi ) = {\text {free}}(\square \phi ) = {\text {free}}(\phi )\), and \({\text {free}}(\exists x \phi ) = {\text {free}}(\phi ) \setminus \{x\}\).

For every variable \(x \in X\), we define the degree of x in \(\phi \) as

$$\deg _x(\phi ) \ = \ \max (\{-1\} \cup \{ k \ge 0 \mid x^{(k)} \in \phi \}), $$

and the degree of \(\phi \) as \(\deg (\phi ) = \max _{x \in X} \deg _x(\phi )\). Note that for \(x \notin \phi \) we have \(\deg _x(\phi ) = -1\). For \(k \ge 0\), we write \({\text {free}}^k(\phi ) = \{ x \in {\text {free}}(\phi ) \mid \deg _x(\phi ) = k \}\) for the set of all free variables of \(\phi \) of degree k.

We call a variable x of degree zero in \(\phi \) a port variable and write \(P(\phi ) = {\text {free}}^0(\phi )\) for the set of port variables of \(\phi \). We call a variable x of degree one or higher in \(\phi \) a memory variable and write \(M(\phi ) = \bigcup _{k \ge 1} {\text {free}}^k(\phi )\) for the set of memory variables of \(\phi \).

Definition 3

(Regular). A stream constraint \(\phi \) is regular if and only if \(\phi = \psi _0 \wedge \square \psi \), such that \(\square \notin \psi _0 \wedge \psi \) and \(\deg _x(\psi _0) < \deg _x(\psi ) \le 1\), for all \(x \in X\).

For a regular stream constraint \(\phi = \psi _0 \wedge \square \psi \), we refer to \(\psi _0\) as the initial condition of \(\phi \) and we refer to \(\psi \) as the invariant of \(\phi \). Stream constraints \(\mathsf{sync}(a,b)\) and \(\mathsf{fifo}(a,b,m)\) in Examples 1 and 3 are regular stream constraints.

A regular stream constraint \(\phi \) has an operational interpretation in terms of a labeled transition system \(\llbracket \phi \rrbracket \). States of the transition system consist of maps \(q : M(\phi ) \longrightarrow D\) that assign data to memory locations, and its labels consist of maps \(\alpha : P(\phi ) \longrightarrow D\) that assign data to ports. We write \(Q(\phi )\) for the set of states of \(\phi \) and \(A(\phi )\) for the set of labels of \(\phi \).

Definition 4

(Operational semantics). The operational semantics \(\llbracket \phi \rrbracket \) of a regular stream constraint \(\phi = \psi _0 \wedge \square \psi \) consists of a labeled transition system \((Q(\phi ),A(\phi ),\rightarrow ,Q_0)\), with set of states \(Q(\phi )\), set of labels \(A(\phi )\), set of transitions \({\rightarrow } = \{(q_\phi (\theta ),q_\phi (\theta '),\alpha _\phi (\theta )) \mid \theta \in \mathcal{L}(\psi )\}\), and set of initial states \(Q_0 = \{ q_\phi (\theta ) \mid \theta \in \mathcal{L}(\psi _0 \wedge \psi )\}\), where

  1. 1.

    \(q_\phi (\theta ) : M(\phi ) \longrightarrow D\) is defined as \(q_\phi (\theta )(x) = \theta (x)(0)\), for \(x \in M(\phi )\); and

  2. 2.

    \(\alpha _\phi (\theta ) : P(\phi ) \longrightarrow D\) is defined as \(\alpha _\phi (\theta )(x) = \theta (x)(0)\), for \(x \in P(\phi )\).

and \(\theta '\) is defined as \(\theta '(x)(n) = \theta (x)(n+1)\), for all \(x \in X\) and \(n \in \mathbb {N}\).

Example 5

Consider the regular stream constraint \(\mathsf{fifo}(a,b,m)\) from Example 3. Note that in this example, the set of ports equals \({\text {free}}^0(\mathsf{fifo}) = \{a,b\}\) and the set of memory locations equals \({\text {free}}^1(\mathsf{fifo}) = \{m\}\). The semantics of \(\mathsf{fifo}(a,b,m)\) over the trivial data domain \(D = \{0,*\}\) consists of 4 transitions:

  1. 1.

    \(([m \mapsto *], [m \mapsto 0], [a \mapsto 0, b \mapsto *])\);

  2. 2.

    \(([m \mapsto 0], [m \mapsto *], [a \mapsto *, b \mapsto 0])\); and

  3. 3.

    \(([m \mapsto d], [m \mapsto d], [a \mapsto *, b \mapsto *])\), for every \(d \in \{*,0\}\).

Figure 1 shows the semantics of \(\mathsf{fifo}\) over the trivial data domain.     \(\triangle \)

Fig. 1.
figure 1

Semantics of \(\mathsf{fifo}(a,b,m)\) over the trivial data domain \(\{0,*\}\).

Full size image

Equivalent stream constraints do not necessarily have the same operational semantics. We are, therefore, interested in operational equivalence of constraints:

Definition 5

(Operational equivalence). Stream constraints \(\phi \) and \(\psi \) are operationally equivalent (\(\phi \simeq \psi \)) iff \(\phi \equiv \psi \) and \({\text {free}}^k(\phi ) = {\text {free}}^k(\psi )\), for \(k \ge 0\).

Example 6

Let \(\phi \) be a stream constraint, let t be a term and let \(x \notin t\) be a variable that does not occur in t. Then, we have \(\exists x (x \doteq t \wedge \phi ) \equiv \phi [t/x]\), where \(\phi [t/x]\) is obtained from \(\phi \) by substituting t for every free occurrence of x. Observe that \(\exists x (x \doteq t \wedge \phi )\) and \(\phi [t/x]\) may admit different sets of free variables: if \(\phi \) is just \(\top \) and t is a variable y, the equivalence amounts to \( \exists x (x \doteq y) \equiv \top \). To ensure that the free variables coincide, we can add the equality \(t \doteq t\) and obtain the operational equivalence \(\exists x (x \doteq t \wedge \phi ) \simeq \phi [t/x] \wedge t \doteq t\).     \(\triangle \)

Operational equivalence of stream constraints \(\phi \) and \(\psi \) implies that their operational semantics are identical, i.e., \(\llbracket \phi \rrbracket = \llbracket \psi \rrbracket \). It is possible to introduce weaker equivalences by, for example, demanding that \(\llbracket \phi \rrbracket \) and \(\llbracket \psi \rrbracket \) are only weakly bisimilar. Such weaker equivalence offer more room for simplification of stream constraints than operational equivalence does. As our work does not need this generality, we leave the study of such weaker equivalences as future work.

The most important operations on stream constraints are composition (\(\wedge \)) and hiding (\(\exists \)). The following result shows that regular stream constraints are closed under conjunction and existential quantification of degree zero variables.

Theorem 1

For all stream constraints \(\phi \) and \(\psi \) and variables x, we have

  1. 1.

    \(\square \phi \wedge \square \psi \equiv \square (\phi \wedge \psi )\); and

  2. 2.

    \(\exists x \square \phi \equiv \square \exists x \phi \), whenever \(\deg _x(\phi ) \le 0\) and \(\square \notin \phi \).

Proof

For assertion 1, \(\mathcal{L}(\square \phi \wedge \square \psi ) = \{ \theta \in (D^\mathbb {N})^X \mid \forall k \ge 0 : \theta ^{(k)} \models \phi \wedge \psi \} = \mathcal{L}(\square (\phi \wedge \psi ))\) shows that \(\square \phi \wedge \square \psi \equiv \square (\phi \wedge \psi )\).

For assertion 2, suppose that \(\deg _x(\phi ) \le 0\) and \(\square \notin \phi \). We show that \(\theta \in \mathcal{L}(\square \exists x \phi )\) if and only if \(\theta \in \mathcal{L}(\exists x \square \phi )\), for all \(\theta \in (D^\mathbb {N})^X\). By Definition 2, this equivalence can be written as

$$\begin{aligned} \theta ^{(k)}[x \mapsto \mu _k] \models \phi \quad \Leftrightarrow \quad (\theta [x \mapsto \sigma ])^{(k)} \models \phi , \end{aligned}$$
(3)

for all \(k \ge 0\), \(\sigma \in D^\mathbb {N}\), and \(\mu _k \in D^\mathbb {N}\) such that \(\mu _k(0) = \sigma ^{(k)}(0)\).

To prove Eq. (3), we proceed by induction on the length of \(\phi \):

Case 1 (\(\phi := \bot \)): Since \(\mathcal{L}(\bot ) = \emptyset \), Eq. (3) holds trivially.

Case 2 (\(\phi := t_0 \doteq t_1\)): Observe that, since \(\deg _x(\phi ) \le 0\), for all terms t, we have \(x \in t\) iff \(t = x\). We conclude Eq. (3) from \(\mu _k(0) = \sigma ^{(k)}(0)\) and

$$ \theta ^{(k)}[x \mapsto \mu _k](t)(0) = \left. {\left\{ \begin{array}{ll} \mu _k(0) &{} \text {if } t = x \\ \theta ^{(k)}(t)(0) &{} \text {if } t \ne x \end{array}\right. } \right\} = (\theta [x \mapsto \sigma ])^{(k)}(t)(0).$$

Case 3 (\(\phi := \psi _0 \wedge \psi _1\)): By the induction hypothesis, Eq. (3) holds for \(\psi _0\) and \(\psi _1\). By conjunction of Eq. (3), we conclude Eq. (3) for \(\phi \).

Case 4 (\(\phi := \lnot \psi \)): By the induction hypothesis, Eq. (3) holds for \(\psi \). By contraposition of Eq. (3), we conclude Eq. (3) for \(\phi \).

Case 5 (\(\phi := \exists y \psi \)): If \(y=x\), then \(x \notin {\text {free}}(\phi )\) and both sides in Eq. (3) are equivalent to \(\theta ^{(k)} \models \phi \). Hence, Eq. (3) holds for \(y=x\). Suppose \(y \ne x\). Then, \(\theta ^{(k)}[x \mapsto \mu _k] \models \phi \) is equivalent to \((\theta [y \mapsto \tau ])^{(k)}[x \mapsto \mu _k] \models \psi \), for some \(\tau \in D^\mathbb {N}\). Applying the induction hypothesis for \(\theta \) equal to \(\theta [y \mapsto \tau ]\), we conclude that \(\theta ^{(k)}[x \mapsto \mu _k] \models \phi \) is equivalent to \((\theta [y \mapsto \tau ][x \mapsto \sigma ])^{(k)} \models \psi \), for some \(\tau \in D^\mathbb {N}\). Since \(y \ne x\), we conclude that Eq. (3) holds.

We conclude that the claim holds for all \(\phi \) with \(\deg _x(\phi ) \le 0\) and \(\square \notin \phi \).     \(\square \)

4 Reflexive Constraints

Conjunction of stream constraints is a simple syntactic composition operator with clear semantics: a data stream tuple \(\theta \) satisfies a conjunction \(\phi _0\wedge \phi _1\) if and only if \(\theta \) satisfies both \(\phi _0\) and \(\phi _1\). In view of the semantics of regular stream constraints in Definition 2, it is less obvious how \(\llbracket \phi _0\wedge \phi _1 \rrbracket \) relates to \(\llbracket \phi _0 \rrbracket \) and \(\llbracket \phi _1 \rrbracket \). The following result characterizes their relation when no memory is shared.

Theorem 2

Let \(\phi _0\) and \(\phi _1\) be regular stream constraints such that \({\text {free}}(\phi _0) \cap {\text {free}}(\phi _1) \subseteq P(\phi _0 \wedge \phi _1)\), and let \((q_i,q_i',\alpha _i) \in Q(\phi _i)^2 \times A(\phi _i)\), for \(i \in \{0,1\}\). The following are equivalent:

  1. 1.

    \(q_0 \xrightarrow {\alpha _0} q_0'\) in \(\llbracket \phi _0 \rrbracket \), \(q_1 \xrightarrow {\alpha _1} q_1'\) in \(\llbracket \phi _1 \rrbracket \), and \(\alpha _0|_{P(\phi _1)} = \alpha _1|_{P(\phi _0)}\);

  2. 2.

    \(q_0 \cup q_1 \xrightarrow {\alpha _0 \cup \alpha _1} q_0' \cup q_1' \text { in } \llbracket \phi _0 \wedge \phi _1 \rrbracket \),

where | is restriction of maps, and \(\cup \) is union of maps.

Proof

Write \(\phi _i=\psi _{i0} \wedge \square \psi _i\), with \(\square \notin \psi _{i0} \wedge \psi _i\) and \(\deg _x(\psi _{i0}) < \deg _x(\psi _i) \le 1\), for all \(x \in X\). Then, \({\text {free}}^k(\phi _i) = {\text {free}}^k(\psi _i)\), for all \(i,k \in \{0,1\}\).

Suppose that assertion 1 holds. By Definition 2, we find, for all \(i \in \{0,1\}\), some \(\theta _i \in \mathcal{L}(\psi _i)\) such that \(q_i = q_{\phi _i}(\theta _i)\), \(q_i' = q_{\phi _i}(\theta '_i)\), and \(\alpha _i = \alpha _{\phi _i}(\theta _i)\). Define \(\theta : X \longrightarrow D^\mathbb {N}\) by \(\theta (x) = \theta _i(x)\), if \(x \in {\text {free}}(\phi _i)\), and \(\theta (x) = \varvec{*}\), otherwise. Since \({\text {free}}(\phi _0) \cap {\text {free}}(\phi _1) \subseteq P(\phi _0 \wedge \phi _1)\) and \(\alpha _0|_{P(\phi _1)} = \alpha _1|_{P(\phi _0)}\), we have that \(\theta _0(x) = \theta _1(x)\), for all \(x \in {\text {free}}(\phi _0) \cap {\text {free}}(\phi _1)\). Hence, \(\theta \) is well-defined. By construction, \(\theta \models \psi _0\) and \(\theta \models \psi _1\). By Definition 2, we have \(\theta \models \psi _0\wedge \psi _1\). By Theorem 1, we have \(\phi _0 \wedge \phi _1 = \psi _{00} \wedge \psi _{10} \wedge \square (\psi _0 \wedge \psi _1)\). Since \(q_0 \cup q_1 = q_{\phi _0 \wedge \phi _1}(\theta )\), \(q_0' \cup q_1' = q_{\phi _0 \wedge \phi _1}(\theta ')\), and \(\alpha _0 \cup \alpha _1 = \alpha _{\phi _0 \wedge \phi _1}(\theta )\), we conclude assertion 2.

Suppose that assertion 2 holds. We find some \(\theta \in \mathcal{L}(\psi _0\wedge \psi _1)\), such that \(q_0 \cup q_1 = q_{\theta }\), \(q_0' \cup q_1' = q_{\theta '}\), and \(\alpha _0 \cup \alpha _1 = \alpha _{\theta }\). Then, we conclude assertion 1, for \(q_i = q_{\phi _i}(\theta )\), \(q_i' = q_{\phi _i}(\theta ')\), and \(\alpha _i = \alpha _{\phi _i}(\theta )\).     \(\square \)

Stream constraints \(\phi _0\) and \(\phi _1\) without shared variables (\({\text {free}}(\phi _0) \cap {\text {free}}(\phi _1) = \emptyset \)) seem completely independent. However, Theorem 2 shows that their composition \(\phi _0 \wedge \phi _1\) admits a transition only if \(\phi _0\) and \(\phi _1\) admit respective local transitions \((q_0,q_0',\alpha _0)\) and \((q_1,q_1',\alpha _1)\), such that \(\alpha _0|_{P(\phi _1)} = \alpha _1|_{P(\phi _0)}\). Since \(\phi _0\) and \(\phi _1\) do not share variables, the latter condition on \(\alpha _0\) and \(\alpha _1\) is trivially satisfied. Still, for one protocol \(\phi _i\), with \(i \in \{0,1\}\), to make progress in the composition \(\phi _0 \wedge \phi _1\), constraint \(\phi _{1-i}\) must admit an idling transition.

To allow such independent progress, we assume that \(\phi _{1-i}\) admits an idling transition \((q,q,\tau )\), where \(\tau \) is the silent label over \(P(\phi _{1-i})\). The silent label over a set of ports \(P \subseteq X\) is the map \(\tau : P \longrightarrow D\) that maps \(x \in P\) to \(*\in D\). If such idling transitions are available in every state of \(\phi _1\), we say that \(\phi _1\) is reflexive:

Definition 6

(Reflexive). A stream constraint \(\phi \) is reflexive if and only if \(q \xrightarrow {\tau } q\) in \(\llbracket \phi \rrbracket \), for all \(q \in Q(\phi )\).

For regular constraints, we can define reflexiveness also syntactically, for which we need some notation. For a variable \(x \in X\) and an integer \(k \in \mathbb {N}\cup \{-1\}\), we define the predicate \(x\dagger _k\) (pronounced: “x is blocked at step k”) as follows:

$$ x\dagger _k \ := \ (x^{(k)} \doteq x^{(k-1)}), \qquad \, \text {with} \, x^{(k)} \doteq \varvec{*}\text {, for all}\, k < 0.$$

Predicate \(x\dagger _{-1} \equiv \top \) is trivially true. Predicate \(x\dagger _0 \equiv (x \doteq \varvec{*})\) means that we observe no data flow at port x. Predicate \(x\dagger _1 \equiv (x' \doteq x)\) means that the data in memory variable x remains the same.

We now provide a syntactic equivalent of Definition 6 for regular constraints.

Lemma 1

A regular stream constraint \(\phi = \psi _0 \wedge \square \psi \) is reflexive if and only if \(\bigwedge _{x \in X} x \dagger _{d(x)} \models \psi \), where \(d(x) = \deg _x(\phi )\), for all \(x \in X\).

Proof

Since \(d(x) = -1\), for all but finitely many \(x \in X\), the stream constraint \(\bigwedge _{x \in X} x \dagger _{d(x)}\) is well-defined. By definition, \(\bigwedge _{x \in X} x \dagger _{d(x)} \models \psi \) if and only if, for all \(q \in Q(\phi )\), there exists some \(\theta \in \mathcal{L}(\psi )\), such that \(q_\theta = q_{\theta '} = q\) and \(\alpha _\theta = \tau \).     \(\square \)

Example 7

The stream constraint \(\mathsf{sync}(a,b) := \square (a \doteq b)\) from Example 1 is reflexive, because \(\bigwedge _{x \in X} x\dagger _{d(x)} = a\doteq \varvec{*}\wedge b\doteq \varvec{*}\) implies \(a\doteq b\). The stream constraint \(\mathsf{fifo}\) from Example 3 is reflexive, because \(\bigwedge _{x \in X} x \dagger _{d(x)} = a\doteq \varvec{*} \wedge b\doteq \varvec{*} \wedge m'\doteq m\) is one of the clauses of \(\mathsf{fifo}\).     \(\triangle \)

Theorem 2 suggests a composition operator \(\times \) on labeled transition systems, satisfying \(\llbracket \phi _0 \rrbracket \times \llbracket \phi _1 \rrbracket = \llbracket \phi _0\wedge \phi _1 \rrbracket \). For reflexive constraints \(\phi _0\) and \(\phi _1\), composition \(\times \) simulates composition of constraint automata [6]. Constraint automata also feature a hiding operator that naturally corresponds to existential quantification \(\exists \) for stream constraints. We leave a full formal comparison between stream constraints and constraint automata as future work.

5 Rule-Based Form

The commandification algorithm developed by Jongmans accepts only conjunctions of literals [14]. To apply commandification to the invariant \(\psi \) of an arbitrary regular stream constraint \(\psi _0 \wedge \square \psi \), we can first transform \(\psi \) into disjunctive normal form (DNF). However, the number of clauses in the disjunctive normal form may be exponential in the length of the constraint. In this section, we introduce an alternative to the disjunctive normal form that prevents such exponential blow up, for a strictly larger class of stream constraints. Our main observation is that the clauses of the disjunctive normal form may contain many symmetries, in the sense that we may generate all clauses from a set of stream constraints R, called a set of rules. A rule is a stream constraint \(\rho \), such that \(\deg (\rho ) \le 1\) and \(\square \notin \rho \).

Definition 7

(Rule-based form). A reflexive stream constraint \(\phi \) is in rule-based form iff \(\phi \) equals

$$\begin{aligned} {\text {rbf}}(R) \ = \ \bigwedge _{x \in {\text {free}}(R)} {x\dagger _{d(x)}} \vee \bigvee _{\rho \in R : x \in {\text {free}}(\rho )} \rho \end{aligned}$$
(4)

with R a finite set of rules, \({\text {free}}(R) = \bigcup _{\rho \in R} {\text {free}}(\rho )\), and \(d(x) = \max _{\rho \in R} \deg _x(\rho )\). A stream constraint \(\phi \) is defined by R iff \(\phi \simeq {\text {rbf}}(R)\).

We apply the rule-based form to the invariant of regular constraints, via \(\psi _0 \wedge \square {\text {rbf}}(R)\), for some degree zero stream constraint \(\psi _0\) and set of rules R. Intuitively, R remains smaller than the DNF of \({\text {rbf}}(R)\) under composition.

Example 8

\(\psi \simeq {\text {rbf}}(\{\psi \})\), for all reflexive stream constraints \(\psi \), with \(\deg (\psi ) \le 1\) and \(\square \notin \psi \). Hence, Example 7 shows \(\mathsf{sync}(a,b) = \square (a\doteq b) \simeq \square {\text {rbf}}(\{a\doteq b\})\).     \(\triangle \)

Example 9

The stream constraint \(\mathsf{lossy}(a,b) := \square {\text {rbf}}(\{a\doteq a,a \doteq b\})\) is equivalent to \(\square (b \doteq \varvec{*} \vee a \doteq b)\). Note that \(\square {\text {rbf}}(\{\top ,a\doteq b\}) \simeq \square {\text {rbf}}(\{a\doteq b\}) \simeq \mathsf{sync}(a,b)\). Hence, rules \(a\doteq a\) and \(\top \) are very different.     \(\triangle \)

Example 10

The set of rules that define a stream constraint is not unique. Consider the stream constraint \(\mathsf{fifo}\) from Example 3. On the one hand, we have \(\mathsf{fifo}(a,b,m) \simeq m \doteq \varvec{*} \wedge \square {\text {rbf}}(\{\varphi , \psi \})\), where \(\varphi \simeq a \doteq m' \doteq \varvec{0} \wedge m \doteq \varvec{*}\) models the action that puts data in the buffer and \(\psi \simeq m' \doteq \varvec{*} \wedge b \doteq m \doteq \varvec{0}\) models the action that takes data out of the buffer. On the other hand, we have \(\mathsf{fifo}(a,b,m) \simeq m \doteq \varvec{*} \wedge \square {\text {rbf}}(\{a \doteq m' \doteq \varvec{0} \wedge b \doteq m \doteq \varvec{*}, a \doteq m' \doteq \varvec{*} \wedge b \doteq m \doteq \varvec{0}\})\).     \(\triangle \)

Example 11

Rule-based forms are an alternative to disjunctive normal forms. Consider the reflexive constraint \(\phi := \bigvee _{i=1}^n \rho _i\) in DNF for which the first conjunctive clause \(\rho _1\) is equivalent to \(\bigwedge _{x \in {\text {free}}(\phi )} x\dagger _{d(x)}\), with \(d(x) = \deg _x(\phi )\). By adding equalities of the form \(x \doteq x\), we assume without loss of generality that \({\text {free}}(\rho _i) = {\text {free}}(\phi )\), for all \(2 \le i \le n\). For \(R = \{\rho _i \mid 2 \le i \le n \}\), it follows from

$$\begin{aligned} {\text {rbf}}(R) \ \equiv \ \bigwedge _{x \in {\text {free}}(R)} \left( x\dagger _{d(x)} \vee \bigvee _{\rho \in R} \rho \right) \ \equiv \ \left( \bigwedge _{x \in {\text {free}}(\phi )} x\dagger _{d(x)}\right) \vee \bigvee _{\rho \in R} \rho \ \equiv \ \phi \end{aligned}$$
(5)

that \(\phi \) is defined by the set R.     \(\triangle \)

Definition 7 presents the rule-based form as a conjunctive normal form. The following result computes the disjunctive normal form of \({\text {rbf}}(R)\).

Lemma 2

For every set of rules R, we have

$$\begin{aligned} {\text {rbf}}(R) \ \simeq \ {\text {dnf}}(R) \ := \ \bigvee _{T \subseteq R} \bigwedge _{\rho \in T} \rho \wedge \bigwedge _{x \in {\text {free}}(R) \setminus {\text {free}}(T)} {x\dagger _{d(x)}}. \end{aligned}$$

Proof

Let \(x \in X\) be arbitrary. By construction, we have \(\deg _x({\text {dnf}}(R)) \le \max _{\rho \in R} \deg _x(\rho )\). Since \(d(x) = \max _{\rho \in R} \deg _x(\rho )\), the clause for \(T = \emptyset \) shows that \(\deg _x({\text {dnf}}(R)) \ge d(x)\). By Lemma 4, \(\deg _x({\text {rbf}}(R)) = \deg _x({\text {dnf}}(R))\), for all \(x \in X\). Hence, \({\text {free}}^k({\text {rbf}}(R))={\text {free}}^k({\text {dnf}}(R))\), for all \(k \ge 0\).

Next, we show that \({\text {rbf}}(R) \models {\text {dnf}}(R)\). Let \(\theta \in \mathcal{L}({\text {rbf}}(R))\). We find, for every \(x \in {\text {free}}(R)\), some rule \(\rho _x \in R\), such that \(\theta \models \rho \) and \(x \in {\text {free}}(\rho )\). Now, define \(T_\theta := \{ \rho _x \mid x \in {\text {free}}(R) \text { and } \theta \notin \mathcal{L}(x\dagger _{d(x)})\}\). By construction, \(\theta \models \rho _x\), for every \(\rho _x \in T_\theta \). If \(x \in {\text {free}}(R)\) and \(\theta \notin \mathcal{L}(x\dagger _{d(x)})\), then \(\rho _x \in T_\theta \) and \(x \in {\text {free}}(\rho _x) \subseteq {\text {free}}(T_\theta )\). By contraposition, we conclude that \(\theta \models x\dagger _{d(x)}\), for all \(x \in {\text {free}}(R)\setminus {\text {free}}(T_\theta )\). Hence, \(\theta \models {\text {dnf}}(R)\), and \(\mathcal{L}({\text {rbf}}(R)) \subseteq \mathcal{L}({\text {dnf}}(R))\).

Finally, we show that \({\text {dnf}}(R) \models {\text {rbf}}(R)\). Let \(\theta \in \mathcal{L}({\text {dnf}}(R))\). By definition of \({\text {dnf}}(R)\), we find some \(T \subseteq R\) with \(\theta \models \rho \), for all \(\rho \in T\), and \(\theta \models {x \dagger _{d(x)}}\), for all \(x \in {\text {free}}(R)\setminus {\text {free}}(T)\). Suppose that \(x \in {\text {free}}(R)\) and \(\theta \not \models {x\dagger _{d(x)}}\). Since \(\theta \models {x\dagger _{d(x)}}\), for all \(x \in {\text {free}}(R)\setminus {\text {free}}(T)\), we find by contraposition that \(x \in {\text {free}}(T)\). Hence, we find some \(\psi \in T\) with \(x \in {\text {free}}(\psi )\). Since \(\theta \models \rho \), for all \(\rho \in T\), we find that \(\theta \models \psi \). Hence, \(\theta \models {\text {rbf}}(R)\) and we conclude that \({\text {rbf}}(R) \simeq {\text {dnf}}(R)\).     \(\square \)

6 Composition

We express conjunction of stream constraints in terms of their defining sets of rules. That is, for two sets of rules \(R_0\) and \(R_1\), we define the composition \(R_0 \wedge R_1\) of \(R_0\) and \(R_1\), such that \({\text {rbf}}(R_0 \wedge R_1) \simeq {\text {rbf}}(R_0) \wedge {\text {rbf}}(R_1)\). If \(R_0\) and \(R_1\) do not share any variable (i.e., \({\text {free}}(R_0) \cap {\text {free}}(R_1) = \emptyset \)), composition \(R_0 \wedge R_1\) is given by the union \(R_0 \cup R_1\). In this section, we define the composition \(R_0 \wedge R_1\) of \(R_0\) and \(R_1\) for \({\text {free}}(R_0) \cap {\text {free}}(R_1) \ne \emptyset \).

In view of Example 11, consider the normal form \({\text {dnf}}(R_0 \wedge R_1)\). Since \({\text {dnf}}(R_0 \wedge R_1)\) equals \({\text {dnf}}(R_0) \wedge {\text {dnf}}(R_1)\), it suffices to characterize the set of clauses of \({\text {dnf}}(R_0) \wedge {\text {dnf}}(R_1)\). Every such clause is a conjunction of a clause in \({\text {dnf}}(R_0)\) and a clause in \({\text {dnf}}(R_1)\). Lemma 2 shows that the clauses of \({\text {dnf}}(R_i)\) correspond to subsets \(T_i\) of \(R_i\), for all \(i \in \{0,1\}\). Not every pair of subsets \(T_0 \subseteq R_0\) and \(T_1 \subseteq R_1\) yields a clause of \({\text {dnf}}(R_0) \wedge {\text {dnf}}(R_1)\), but only if \(S = T_0 \cup T_1\) is synchronous:

Definition 8

(Synchronous). A synchronous set over sets of rules \(R_0\) and \(R_1\) is a subset \(S \subseteq R_0 \cup R_1\), with \({\text {free}}(S) \cap {\text {free}}(R_i) \subseteq {\text {free}}(S \cap R_i)\), for all \(i \in \{0,1\}\).

Example 12

For any integer \(i \ge 1\), let \(\varphi _i := a_i\doteq m_i' \doteq \varvec{0} \wedge m_i \doteq \varvec{*}\) and \(\psi _i := m_i'\doteq \varvec{*} \wedge a_{i+1} \doteq m_i \doteq \varvec{0}\) be the two rules that define \(\mathsf{fifo}(a_i,a_{i+1},m_i)\), from Example 10. The synchronous sets consist of exactly those sets \(S \subseteq \{\varphi _1, \psi _1\} \cup \{\varphi _2,\psi _2\}\) that satisfy \(\psi _1 \in S\) iff \(\varphi _2 \in S\). That is, the synchronous sets are given by \(\emptyset \), \(\{\varphi _1\}\), \(\{\psi _2\}\), \(\{\psi _1,\varphi _2\}\), \(\{\varphi _1,\psi _1, \varphi _2\}\), \(\{\psi _1, \varphi _2,\psi _2\}\), \(\{\varphi _1, \psi _1, \varphi _2, \psi _2\}\).     \(\triangle \)

Next, we recognize symmetries in the collection of synchronous sets. We can construct every synchronous set as a union of irreducible synchronous subsets:

Definition 9

(Irreducibility). A non-empty synchronous set \(\emptyset \ne S \subseteq R_0 \cup R_1\) is irreducible if and only if \(S = S_0 \cup S_1\) implies \(S = S_0\) or \(S = S_1\), for all synchronous subsets \(S_0, S_1 \subseteq R_0 \cup R_1\).

Example 13

Let \(R_0\) and \(R_1\) be sets of rules, and let \(\rho \in R_0\) be a rule, such that \({\text {free}}(\rho ) \cap {\text {free}}(R_1) = \emptyset \). We show that \(\{\rho \}\) is irreducible synchronous. Since \({\text {free}}(\{\rho \}) \cap {\text {free}}(R_0) = {\text {free}}(\rho ) = {\text {free}}(\{\rho \} \cap R_0)\) and \({\text {free}}(\{\rho \}) \cap {\text {free}}(R_1) = \emptyset \subseteq {\text {free}}(\{\rho \} \cap R_1)\), we conclude that \(\{\rho \}\) is synchronous. Suppose \(\{\rho \} = S_0 \cup S_1\). Then, \(\rho \in S_i\), for some \(i \in \{0,1\}\). Hence, \(\{\rho \} \subseteq S_i \subseteq \{\rho \}\), which shows that \(S_i = \{\rho \}\). We conclude that \(\{\rho \}\) is irreducible synchronous in \(R_0 \cup R_1\).     \(\triangle \)

Example 14

Consider \(\varphi _i\) and \(\psi _i\), for \(i \in \{1,2\}\), from Example 12. The irreducible synchronous sets of \(\{\varphi _1, \psi _1\} \cup \{\varphi _2,\psi _2\}\) are \(\{\varphi _1\}\), \(\{\psi _2\}\), and \(\{\psi _1, \varphi _2\}\).      \(\triangle \)

Definition 10

(Composition). The composition of sets of rules \(R_0\) and \(R_1\) is \(R_0 \wedge R_1 := \{\bigwedge _{\rho \in S} \rho \mid S \subseteq R_0 \cup R_1 \text { irreducible synchronous} \}\).

Example 15

Let \(R_0\) and \(R_1\) be sets of rules, with \({\text {free}}(R_0) \cap {\text {free}}(R_1) = \emptyset \). By Example 13, we find that \(\{\rho \} \subseteq R_0 \cup R_1\), for all \(\rho \in R_0 \cup R_1\), is irreducible synchronous. Hence, every synchronous set \(S \subseteq R_0 \cup R_1\), with \(|S| \ge 2\), is reducible. Therefore, \(S \subseteq R_0 \cup R_1\) is irreducible synchronous if and only if \(S = \{\rho \}\), for some \(\rho \in R_0 \cup R_1\). We conclude that \(R_0 \wedge R_1 = R_0 \cup R_1\). Consequently, \(\emptyset \) is a (unique) identity element with respect to composition \(\wedge \) of sets of rules.     \(\triangle \)

To show that the composition of sets of rules coincides with conjunction of stream constraints, we need the following result that shows that every non-empty synchronous set can be covered by irreducible synchronous sets.

Lemma 3

Let \(R_0\) and \(R_1\) be sets of rules, and let \(S \subseteq R_0 \cup R_1\) be a non-empty synchronous set. Then, \(S = \bigcup _{i=1}^n S_i\), where \(S_i \subseteq R_0 \cup R_1\), for \(1 \le i \le n\), is irreducible synchronous.

Proof

We prove the lemma by induction on the size |S| of S. For the base case, suppose that \(|S| = 1\). We show that S is irreducible synchronous, which provides a trivial covering. Suppose that \(S = S_0 \cup S_1\), for some synchronous sets \(S_0,S_1 \subseteq R_0 \cup R_1\). Since, \(|S| = 1\), we have \(S \subseteq S_i \subseteq S\), for some \(i \in \{0,1\}\). Hence, \(S = S_i\), and S is irreducible. We conclude that the lemma holds, for \(|S|=1\).

For the induction step, suppose that \(|S| = k > 1\), and suppose that the lemma holds, for \(|S| < k\). If S is irreducible, we find a trivial covering of S. If S is reducible, we find \(S = S_0 \cup S_1\), where \(S_0\ne S \ne S_1\) are synchronous sets in \(R_0 \cup R_1\). Since \(|S_i| < |S|\), for \(i \in \{0,1\}\), we find by the hypothesis that \(S_i = \bigcup _{j=1}^{n_i} S_{ij}\). Hence, \(S = S_0 \cup S_1 = \bigcup _{i=0}^1 \bigcup _{j=1}^{n_i} S_{ij}\). We conclude that the lemma holds, for \(|S| = k\). By induction on |S|, we conclude the lemma.     \(\square \)

Lemma 4

\(\deg _x({\text {rbf}}(R)) = \max _{\rho \in R} \deg _x(\rho )\), for all sets of rules R and \(x \in X\).

Proof

For any set of rules R and \(y \in X\), we have

$$\deg _y({\text {rbf}}(R)) = \max _{x \in {\text {free}}(R)} \max (\deg _y(x\dagger _{d(x)}), \max _{\rho \in R : x \in {\text {free}}(\rho )} \deg _y(\rho )).$$

Note that \(\deg _y(x\dagger _{d(x)}) = d(y)\), if \(y=x\), and \(\deg _y(x\dagger _{d(x)}) = -1\), otherwise. Since \(d(y) = \max _{\rho \in R} \deg _y(\rho )\), we have \(\deg _y({\text {rbf}}(R)) = \max _{\rho \in R} \deg _y(\rho )\).     \(\square \)

Theorem 3

\({\text {rbf}}(R_0 \wedge R_1) \simeq {\text {rbf}}(R_0) \wedge {\text {rbf}}(R_1)\), for all sets of rules \(R_0\) and \(R_1\).

Proof

By Lemma 4 and Definition 10, \(\deg _x({\text {rbf}}(R_0 \wedge R_1)) = \deg _x({\text {rbf}}(R_0) \wedge {\text {rbf}}(R_1))\), for all \(x \in X\). Hence, \({\text {free}}^k({\text {rbf}}(R_0 \wedge R_1))={\text {free}}^k({\text {rbf}}(R_0) \wedge {\text {rbf}}(R_1))\), for all \(k \ge 0\).

Next, we show \({\text {rbf}}(R_0) \wedge {\text {rbf}}(R_1)) \models {\text {rbf}}(R_0 \wedge R_1)\). Let \(\theta \in \mathcal{L}({\text {rbf}}(R_0) \wedge {\text {rbf}}(R_1))\). By Definition 7, we must show that for every \(x \in {\text {free}}(R_0 \wedge R_1)\) there exists some \(\rho _x \in R_0 \wedge R_1\) such that \(x \in {\text {free}}(\rho _x)\) and either \(\theta \models x\dagger _{d(x)}\) or \(\theta \models \rho _x\). Hence, suppose that \(\theta \notin \mathcal{L}(x\dagger _{d(x)})\), for some variable \(x \in {\text {free}}(R_0 \wedge R_1)\). Since \({\text {free}}(R_0 \wedge R_1) = {\text {free}}(R_0) \cup {\text {free}}(R_1)\) and \(\theta \models {\text {free}}(R_0) \wedge {\text {free}}(R_1)\), we find from Definition 7 some \(\psi \in R_0 \cup R_1\), with \(\theta \models \psi \) and \(x \in {\text {free}}(\psi )\). We now show that there exists an irreducible synchronous set \(S \subseteq R_0 \cup R_1\), such that, for \(\rho _x := \bigwedge _{\rho \in S} \rho \), we have \(\theta \models \rho _x\) and \(x \in {\text {free}}(\rho _x)\). By repeated application of Definition 8, we construct a finite sequence

$$ \{\psi \} = S_0 \subsetneq \cdots \subsetneq S_n,$$

such that \(S_n \subseteq R_0 \cup R_1\) is synchronous, and \(\theta \models \bigwedge _{\rho \in S_n} \rho \). Suppose \(S_k \subseteq R_0 \cup R_1\), for \(k \ge 1\), is not synchronous. By Definition 8, there exists some \(i \in \{0,1\}\) and a variable \(x \in {\text {free}}(S_k) \cap {\text {free}}(R_i)\), such that \(x \notin {\text {free}}(S_k \cap R_i)\). Since \(x \in {\text {free}}(R_i)\), we have \(R_i^x := \{\rho \in R_i \mid x \in {\text {free}}(\rho )\} \ne \emptyset \). Since \(\theta \models {\text {rbf}}(R_i)\), there exists some \(\psi _k \in R_i^x\) such that \(\theta \models \psi _k\). Now define \(S_{k+1} := S_k \cup \{\psi _k\}\). Since \(x \notin {\text {free}}(S_k \cap R_i)\) and \(x \in {\text {free}}(S_{k+1} \cap R_i)\), we have a strict inclusion \(S_k \subsetneq S_{k+1}\). Due to these strict inclusions, we have, for \(k \ge |R_0 \cup R_1|\), that \(S_k = R_0 \cup R_1\), which is trivially synchronous in \(R_0 \cup R_1\). Therefore, our sequence \(S_0 \subsetneq \cdots \) of inclusions terminates, from which we conclude the existence of \(S_n\). By Lemma 3, we find some irreducible synchronous set \(S \subseteq S_n\), such that \(\psi \in S\). We conclude that \(\rho _x := \bigwedge _{\rho \in S} \rho \in R_0 \wedge R_1\) satisfies \(\theta \models \rho _x\) and \(x \in {\text {free}}(\psi ) \subseteq {\text {free}}(S) = {\text {free}}(\rho _x)\). By Definition 7, we have \(\theta \models {\text {rbf}}(R_0 \wedge R_1)\), and \({\text {rbf}}(R_0) \wedge {\text {rbf}}(R_1) \models {\text {rbf}}(R_0 \wedge R_1)\).

Finally, we prove that \({\text {rbf}}(R_0 \wedge R_1) \models {\text {rbf}}(R_0) \wedge {\text {rbf}}(R_1)\). Let \(\theta \in \mathcal{L}({\text {rbf}}(R_0 \wedge R_1))\). We show that \(\theta \models {\text {rbf}}(R_i)\), for all \(i \in \{0,1\}\). By Definition 7, we must show that for every \(i \in \{0,1\}\) and every \(x \in {\text {free}}(R_i)\) there exists some \(\rho \in R_i\) such that \(x\in {\text {free}}(\rho )\) and either \(\theta \models x\dagger _{d(x)}\) or \(\theta \models \rho \). Hence, let \(i \in \{0,1\}\) and \(x \in {\text {free}}(R_i)\) be arbitrary, and suppose that \(\theta \notin \mathcal{L}(x\dagger _{d(x)})\). Since \({\text {free}}(R_i) \subseteq {\text {free}}(R_0 \wedge R_1)\), it follows from our assumption \(\theta \models {\text {rbf}}(R_0 \wedge R_1)\) that \(\theta \models \bigwedge _{\rho \in S} \rho \), for some irreducible synchronous set \(S \subseteq R_0 \cup R_1\) satisfying \(x \in {\text {free}}(S)\). Since \(S \subseteq R_0 \cup R_1\) synchronous, we find that \(x \in {\text {free}}(S) \cap {\text {free}}(R_i) = {\text {free}}(S \cap R_i)\). Hence, we find some \(\rho \in S \cap R_i\), such that \(\theta \models \rho \) and \(x \in {\text {free}}(\rho )\). By Definition 7, we conclude that \(\theta \models {\text {rbf}}(R_i)\), for all \(i \in \{0,1\}\). Therefore, \({\text {rbf}}(R_0 \wedge R_1) \simeq {\text {rbf}}(R_0) \wedge {\text {rbf}}(R_1)\).      \(\square \)

Fig. 2.
figure 2

Hypergraph representations of \(\bigwedge _{i=1}^2 \mathsf{fifo}(a_i,a_{i+1},m_i)\).

Full size image

Example 16

Let \(\varphi _i\) and \(\psi _i\), for \(i \ge 1\), be the rules from Example 12. By Example 14, the composition \(\mathsf{fifo}_2 := \bigwedge _{i=1}^2 \mathsf{fifo}(a_i,a_{i+1},m_i)\) is defined by the set of rules \(\{\varphi _1, \psi _1 \wedge \varphi _2, \psi _2\}\).Footnote 1 To compute a set of rules that defines the composition, it is not efficient to enumerate all (exponentially many) synchronous subsets of \(R_0 \cup R_1\) and remove all reducible sets. Our tools use an algorithm based on hypergraph transformations to compute the irreducible synchronous sets. The details of this algorithm fall outside the scope of this paper. Figure 2 shows a graphical representation of composition \(\mathsf{fifo}_2\), using hypergraphs. These hypergraphs consist of sets of hyperedges (xF), where x is a variable and F is a set of rules. Each hyperedge (xF) in a hypergraph corresponds to a disjunction \({x\dagger _{d(x)}} \vee \bigvee _{\rho \in F} \rho \) of the rule-based form in Definition 7.     \(\triangle \)

7 Complexity

In the worst case, composition \(R_0 \wedge R_1\) of arbitrary sets of rules \(R_0\) and \(R_1\) may consists of \(|R_0|\times |R_1|\) rules. However, if \(R_0\) and \(R_1\) are simple, the size of the composition is bounded by \(|R_0|+|R_1|\).

Definition 11

(Simple). A set R of rules is simple if and only if \({\text {free}}(\rho ) \cap {\text {free}}(\rho ') \cap P({\text {rbf}}(R)) \ne \emptyset \) implies \(\rho = \rho '\), for every \(\rho ,\rho ' \in R\).

Example 17

By Example 10, the invariant of \(\mathsf{fifo}(a,b,m)\) is defined by \(R := \{a\doteq m' \doteq \varvec{0} \wedge m \doteq \varvec{*}, m' \doteq \varvec{*} \wedge b\doteq m \doteq \varvec{0}\}\) as well as \(R' := \{a\doteq m' \doteq \varvec{0} \wedge b \doteq m \doteq \varvec{*}, a \doteq m' \doteq \varvec{*} \wedge b\doteq m \doteq \varvec{0}\}\). The set R is simple, while \(R'\) is not.     \(\triangle \)

Lemma 5

Let \(R_0\) and \(R_1\) be sets of rules, such that \({\text {free}}(R_0) \cap {\text {free}}(R_1) \subseteq P({\text {rbf}}(R_0 \cup R_1))\), and let \(S \subseteq R_0 \cup R_1\) be synchronous. Let \(G_S\) be a graph with vertices S and edges \(E_S = \{(\rho ,\rho ') \in S^2 \mid {\text {free}}(\rho ) \cap {\text {free}}(\rho ') \cap P({\text {rbf}}(R_0 \cup R_1)) \ne \emptyset \}\). If S irreducible, then \(G_S\) is connected.

Proof

Suppose that \(G_S\) is disconnected. We find \(\emptyset \ne S_0,S_1 \subseteq S\), with \(S_0 \cup S_1 = S\), \(S_0 \cap S_1 = \emptyset \) and \({\text {free}}(S_0) \cap {\text {free}}(S_1) \cap P({\text {rbf}}(R_0 \cup R_1)) = \emptyset \). We show that \(S_0\) and \(S_1\) are synchronous. Let \(i,j \in \{0,1\}\) and \(x \in {\text {free}}(S_i) \cap {\text {free}}(R_j)\). We distinguish two cases:

Case 1 (\(x \in {\text {free}}(R_{1-j})\)): Then, \(x \in {\text {free}}(R_0)\cap {\text {free}}(R_1) \subseteq P({\text {rbf}}(R_0 \cup R_1))\). Since \({\text {free}}(S_0) \cap {\text {free}}(S_1) \cap P({\text {rbf}}(R_0 \cup R_1)) = \emptyset \), we have \(x \notin {\text {free}}(S_{1-i})\). Since S is synchronous, we have \(x \in {\text {free}}(S_i) \cap {\text {free}}(R_j) \subseteq {\text {free}}(S) \cap {\text {free}}(R_j) \subseteq {\text {free}}(S \cap R_j)\). Hence, we find some \(\rho \in S \cap R_j\), with \(x \in {\text {free}}(\rho )\). Since \(x \notin {\text {free}}(S_{1-i})\), we conclude that \(\rho \in S_i \cap R_j\). Thus, \(x \in {\text {free}}(S_i \cap R_j)\), if \(x \in {\text {free}}(R_{1-j})\).

Case 2 (\(x \notin {\text {free}}(R_{1-j})\)): Since \(x \in {\text {free}}(S_i)\), we find some \(\rho \in S_i\), with \(x \in {\text {free}}(\rho )\). Since \(x \notin {\text {free}}(R_{1-j})\), we conclude that \(\rho \in R_j\). Hence, \(x \in {\text {free}}(\rho ) \subseteq {\text {free}}(S_i \cap R_j)\), if \(x \notin {\text {free}}(R_{1-j})\).

We conclude in both cases that \(x \in {\text {free}}(\rho ) \subseteq {\text {free}}(S_i \cap R_j)\). Hence, \({\text {free}}(S_i) \cap {\text {free}}(R_j) \subseteq {\text {free}}(S_i \cap R_j)\), for all \(i,j \in \{0,1\}\), and we conclude that \(S_0\) and \(S_1\) are synchronous. Since \(S_0 \ne S \ne S_1\), we conclude that S is reducible. By contraposition, we conclude that \(G_S\) is connected, whenever S is irreducible.     \(\square \)

Lemma 6

Let \(R_0\) and \(R_1\) be simple sets of rules, with \({\text {free}}(R_0) \cap {\text {free}}(R_1) \subseteq P({\text {rbf}}(R_0 \cup R_1))\), and let \(S_0,S_1 \subseteq R_0 \cup R_1\) be irreducible synchronous. If \(S_0 \cap S_1 \ne \emptyset \), then \(S_0 = S_1\).

Proof

Suppose that \(S_0 \cap S_1 \ne \emptyset \). Then, there exists some \(\rho _0 \in S_0 \cap S_1\). We show that \(S_i \subseteq S_{1-i}\), for all \(i \in \{0,1\}\). Let \(i \in \{0,1\}\), and \(\rho \in S_i\). By Lemma 5, we find an undirected path in \(G_{S_i}\) from \(\rho _0\) to \(\rho \). That is, we find a sequence \(\rho _0\rho _1\cdots \rho _n \in S^*\), such that \(\rho _n = \rho \) and \((\rho _i,\rho _{i+1}) \in E_{S_i}\), for all \(0 \le i < n\). We show by induction on \(n \ge 0\), that \(\rho _n \in S_{1-i}\). For the base case (\(n = 0\)), observe that \(\rho _n = \rho _0 \in S_0 \cap S_1 \subseteq S_{1-i}\). For the induction step, suppose that \(\rho _n \in S_{1-i}\). By construction of \(G_{S_i}\), we find that \({\text {free}}(\rho _n) \cap {\text {free}}(\rho _{n+1}) \cap P_{01} \ne \emptyset \), where \(P_{01} = P({\text {rbf}}(R_0 \cup R_1))\). Let \(j \in \{0,1\}\), such that \(\rho _{n+1} \in R_j\). Since \(\rho _n \in S_{1-i}\) and \(S_{1-i}\) is synchronous, we have \(\emptyset \ne {\text {free}}(S_{1-i}) \cap {\text {free}}(R_j) \cap P_{01} = {\text {free}}(S_{1-i} \cap R_j) \cap P_{01}\). We find some \(\rho ' \in S_{1-j} \cap R_j\), with \({\text {free}}(\rho _{n+1}) \cap {\text {free}}(\rho ') \cap P_{01} \ne \emptyset \). Since \(R_j\) is simple, we have \(\rho _{n+1} = \rho ' \in S_{1-i}\), which concludes the proof by induction. It follows from \(\rho _n \in S_{1-i}\) that \(S_i \subseteq S_{1-i}\), for all \(i \in \{0,1\}\), that is, \(S_0 = S_1\).     \(\square \)

As seen in Lemma 2, the number of clauses in the disjunctive normal form \({\text {dnf}}(R_0 \wedge R_1)\) can be exponential in the number of rules \(|R_0 \wedge R_1|\) of the composition of \(R_0\) and \(R_1\). However, the following (main) theorem shows the number of rules required to define \(\bigwedge _i \phi _i\) is only linear in k.

Theorem 4

If \(R_0\) and \(R_1\) are simple sets of rules, and \({\text {free}}(R_0) \cap {\text {free}}(R_1) \subseteq P({\text {rbf}}(R_0 \cup R_1))\), then \(R_0 \wedge R_1\) is simple and \(|R_0 \wedge R_1| \le |R_0| + |R_1|\).

Proof

From Lemmas 3 and 6, we find that the irreducible synchronous subsets partition \(R_0 \cup R_1\). We conclude that \(|R_0 \wedge R_1| \le |R_0| + |R_1|\). We now show that \(R_0 \wedge R_1\) is simple. Let \(\rho _0\) and \(\rho _1\) be rules in \(R_0 \wedge R_1\), with \({\text {free}}(\rho _0) \cap {\text {free}}(\rho _1) \cap P_{01} \ne \emptyset \), where \(P_{01} = P({\text {rbf}}(R_0 \cup R_1))\). By Definition 10, we find, for all \(i \in \{0,1\}\), an irreducible synchronous set \(S_i\), such that \(\rho _i = \bigwedge _{\psi \in S_i} \psi \). Since \({\text {free}}(\rho _0) \cap {\text {free}}(\rho _1) \cap P_{01} \ne \emptyset \) and \({\text {free}}(\rho _i) = {\text {free}}(S_i)\), for all \(i \in \{0,1\}\), we find some \(x \in {\text {free}}(S_0) \cap {\text {free}}(S_1) \cap P_{01}\). Suppose that \(x \in {\text {free}}(R_j)\), for some \(j \in \{0,1\}\). Since \(S_0\) and \(S_1\) are synchronous sets, we have \(x \in {\text {free}}(S_i) \cap {\text {free}}(R_j) \subseteq {\text {free}}(S_i \cap R_j)\), for all \(i \in \{0,1\}\). We find, for all \(i \in \{0,1\}\), some \(\psi _i \in S_i \cap R_j\), such that \(x \in {\text {free}}(\psi _i)\). Hence, \({\text {free}}(\psi _0) \cap {\text {free}}(\psi _1) \cap P_{01} \ne \emptyset \), and since \(R_j\) is simple, we conclude that \(\psi _0 = \psi _1\). Therefore, \(S_0 \cap S_1 \ne \emptyset \), and Lemma 6 shows that \(S_0 = S_1\) and \(\rho _0 = \rho _1\). We conclude that \(R_0 \wedge R_1\) is simple.     \(\square \)

The number of clauses in the disjunctive normal form of direct compositions of k fifo constraints grows exponentially in k. This typical pattern of a sequence of queues manifests itself in many other constructions, which causes serious scalability problems (cf., the benchmarks for ‘Alternator\(_k\)’ in [17, Sect. 7.2]). However, Theorem 4 shows that rule-based composition of k fifo constraints does not suffer from scalability issues: by Example 17, the fifo constraint can be defined by a simple set of rules. The result in Theorem 4, therefore, promises (exponential) improvement over the classical constraint automaton representation.

Unfortunately, it seems impossible to define any arbitrary stream constraint by a simple set of rules. Therefore, the rule-based form may still blow up for certain stream constraints. It seems, however, possible to recognize even more symmetries (cf., the queue-optimization in [16]) to avoid explosion and obtain comparable compilation and execution performance for these stream constraints.

8 Abstraction

We now study how existential quantification of stream constraints operates on its defining set of rules.

Definition 12

(Abstraction). Hiding a variable x in a set of rules R yields \(\exists x R := \{\exists x \rho \mid \rho \in R \}\).

Unfortunately, \(\exists x R\) does not always define \(\exists x \phi \), for a stream constraint \(\phi \) defined by a set of rules R. The following result shows that \(\exists x R\) defines \(\exists x \phi \) if and only if \({\text {rbf}}(\exists x R) \models \exists x {\text {rbf}}(R)\). In this case, we call variable x hidable in R.

It is non-trivial to find a defining set of rules for \(\exists x \phi \), if x is not hidable in R, and we leave this as future work.

Theorem 5

Let R be a set of rules, and let \(x\in X\) be a variable. Then, \(\exists x {\text {rbf}}(R) \simeq {\text {rbf}}(\exists x R)\) if and only if \({\text {rbf}}(\exists x R) \models \exists x {\text {rbf}}(R)\).

Proof

Trivially, \(\exists x {\text {rbf}}(R) \simeq {\text {rbf}}(\exists x R)\) implies \({\text {rbf}}(\exists x R) \models \exists x {\text {rbf}}(R)\). Conversely, suppose that \({\text {rbf}}(\exists x R) \models \exists x {\text {rbf}}(R)\). From Lemma 2, it follows that \(\exists x {\text {rbf}}(R) \equiv \exists x {\text {dnf}}(R)\). Since existential quantification distributes over disjunction and \(\exists x \phi \wedge \psi \models \exists x \phi \wedge \exists x \psi \), for all stream constraints \(\phi \) and \(\psi \), we find

$$\exists x {\text {dnf}}(R) \models \bigvee _{S \subseteq R} \bigwedge _{\rho \in S} \exists x \rho \wedge \bigwedge _{x \ne y \in {\text {free}}(R) \setminus {\text {free}}(S)} {y \dagger _{d(y)}} \equiv {\text {dnf}}(\exists x R).$$

By Lemma 2, we have \(\exists x {\text {rbf}}(R) \models {\text {rbf}}(\exists x R)\), and by assumption \(\exists x {\text {rbf}}(R) \equiv {\text {rbf}}(\exists x R)\). Using Lemma 4, we have \(\deg _y(\exists x {\text {rbf}}(R)) = \max _{\rho \in R} \deg _y(\exists x \rho ) = \deg _y({\text {rbf}}(\exists x R))\), for every variable y. We conclude \(\exists x {\text {rbf}}(R) \simeq {\text {rbf}}(\exists x R)\).     \(\square \)

Example 18

Suppose \(Data=\{0,1\}\), which means that the data domain equals \(D = \{0,1,*\}\). Let \(\mathbf{1}\) be the constant stream defined as \(\mathbf{1}(n) = 1\), for all \(n \in \mathbb {N}\). For \(i \in \{0,1\}\), consider the set of rules \(R_i = \{x=x, x=y_i=\mathbf{i}\}\). Observe that \(\{x=x,x=y_i=\mathbf{i}\} \subseteq R_0 \cup R_1\) is synchronous, for all \(i \in \{0,1\}\). Hence, \(x=y_i=\mathbf{i} \in R_0 \wedge R_1\), for all \(i \in \{0,1\}\). However, for \(\theta = [y_0 \mapsto \varvec{0}, y_1 \mapsto \varvec{1}]\), we have \(\theta \models \bigwedge _{i \in \{0,1\}} \exists x (x=y_i=i)\), while \(\exists x \bigwedge _{i \in \{0,1\}} x=y_i=i \equiv \bot \). Thus, variable x is not hidable from \(R_0 \wedge R_1\).     \(\triangle \)

9 Application

In on-going work, we applied the rule-based form to compile protocols (in the form of Reo connectors) into executable code. Reo is an exogenous coordination language that models protocols as graph-like structures [1, 2]. We recently developed a textual version of Reo, which we use to design non-trivial protocols [11]. An example of such non-trivial protocol is the Alternator\(_k\), where \(k \ge 2\) is an integer. Figure 3(a) shows a graphical representation of the Alternator\(_k\) protocol.

Intuitively, the behavior of the alternator protocol is as follows: The nodes \(P_1,\ldots ,P_k\) accept data from the environment. Node C offer data to the environment. All other nodes are internal and do not interact with the environment. In the first step of the protocol, the Alternator\(_k\) waits until the environment is ready to offer data at all nodes \(P_1,\ldots ,P_k\) and is ready to accept data from node C. Only then, the Alternator\(_k\) transfers the data from \(P_k\) to C via a synchronous channel, and puts the data from \(P_i\) in the i-th fifo channel, for all \(i < k\). The behavior of a synchronous channel is defined by the sync stream constraint in Example 1. Each fifo channel has buffer capacity of one, and its behavior is defined by the fifo stream constraint from Example 3. In subsequent steps, the environment can one-by-one retrieve the data from the fifo channel buffers, until they are all empty. Then, the protocol cycles back to its initial configuration, and repeats its behavior. For more details on the Reo language and its semantics, we refer to [1, 2].

As mentioned in the introduction, Jongmans developed a compiler based on constraint automata [17]. The otherwise stimulating benchmarks presented in [17] show that Jongmans’ compiler still suffers from state-space explosion. Figure 3(b) shows the compilation time of the Alternator\(_k\) protocol for Jongmans’ compiler and ours. Clearly, the compilation time improved drastically and went from exponential in k to almost linear in k.

Every fifo channel in the Alternator\(_k\), except the first, either accepts data from the environment or accepts data from the previous fifo channel. This choice is made by the internal node at the input of each fifo channel. Unfortunately, the behavior of such nodes is not defined in terms of a simple set of rules. Consequently, we cannot readily apply Theorem 4 to conclude that the number of rules depends only linearly on k. However, it turns out that Alternator\(_k\) can be defined using only k rules: one rule for filling the buffers of all fifo channels, plus \(k-1\) rules, one for taking data out of the buffer of each of the \(k-1\) fifo channels. This observation explains why our compiler drastically improves upon Jongmans’ compiler.

Fig. 3.
figure 3

Graphical representation (a) of the Alternator\(_k\) protocol in [17], for \(2 \le k \le 500\), and its compilation time (b). The dotted red line is produced by the Jongmans’ compiler (and corresponds to [17, Fig. 11(a)]), and the solid blue line is our compiler. (Color figure online)

Full size image

10 Conclusion

We introduce (regular) stream constraints as an alternative to constraint automata that does not suffer from state space explosions. We define the rule-based form for stream constraints, and we express composition and abstraction of constraints in terms of their rule-based forms. For simple sets of rules, composition of rule-based forms does not suffer from ‘transition space explosions’ either.

We have experimented with a new compiler for protocols using our rule-based form, which avoids the scalability problems of state- and transition-space explosions of previous automata-based tools. Our approach still leaves the possibility for transition space explosion for non-simple sets of rules. In the future, we intend to study symmetries in stream constraints that are not defined by simple sets of rules. The queue-optimization of Jongmans serves as a good source of inspiration for exploiting symmetries [16].

The results in this paper are purely theoretical. In on-going work, we show practical implications of our results by developing a compiler based on stream constraints. Such a compiler requires an extension to the current theory on stream constraints: we did not compute the abstraction \(\exists x R\) on sets of rules R wherein variable x is not hidable. Example 11 indicates the existence of situations where we can compute \(\exists x R\) even if x is not hidable, a topic which we leave as future work.